## Drizzle ORM Users Under Pressure: SQL Injection Flaw Patched After 7-Month Window
A critical SQL injection vulnerability (CWE-89) in the drizzle-orm library went unpatched for an extended period before being addressed in version 0.45.2, raising questions about exposure in production systems that have not yet updated. The flaw resided in the `sql.identifier()` and `sql.as()` functions, where input values were not properly escaped, creating a direct path for injection attacks against applications using these methods.

The vulnerability was identified and reported to the Drizzle team by community members EthanKim88, 0x90sh, and wgoodall01, who provided both reproduction steps and a suggested fix. The patch, released as part of version 0.45.2, addresses the escaping logic that previously failed to sanitize values passed through these SQL construction functions. Version 0.38.4, the departure point for this update, predates the fix and remains affected. Any project running drizzle-orm between those version numbers that relies on `sql.identifier()` or `sql.as()` faces potential risk.

Drizzle ORM is a widely adopted TypeScript ORM supporting PostgreSQL, MySQL, and SQLite, meaning the affected code paths could appear across a broad range of web applications, APIs, and backend services. The library's popularity in the Node.js ecosystem amplifies the significance of this patch. Maintainers of dependent projects are advised to audit their usage of the flagged functions and prioritize the upgrade. The incident also highlights the ongoing reliance on community-reported security disclosures in the open-source ecosystem, and the lag that can occur between vulnerability introduction and widespread remediation.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: sql-injection, CWE-89, security-patch, open-source-security, drizzle-orm
- **Credibility**: unverified
- **Published**: 2026-05-05 21:31:38
- **ID**: 79553
- **URL**: https://whisperx.ai/en/intel/79553