Drizzle ORM 0.45.2 Patches Critical SQL Injection Vulnerability (CWE-89)

A critical security vulnerability has been patched in the widely-used Drizzle ORM library. The patch, released in version 0.45.2, addresses a flaw in the `sql.identifier()` and `sql.as()` functions where values were not properly escaped, creating a potential SQL Injection (CWE-89) attack vector. This type of vulnerability is a severe risk, as it could allow attackers to execute arbitrary SQL commands on a database, potentially leading to data theft, corruption, or complete system compromise.

The issue was reported and a fix was contributed by external security researchers EthanKim88, 0x90sh, and wgoodall01, who provided a reproduction case and a suggested solution. The patch, commit `273c780`, was released promptly following the disclosure. This incident highlights the critical importance of proper input sanitization in database abstraction layers, which are trusted by thousands of developers to handle sensitive data securely.

For any project using Drizzle ORM, an immediate upgrade to version 0.45.2 is a non-negotiable security requirement. The vulnerability existed in version 0.45.1 and potentially earlier releases. Development teams must audit their dependency trees and deployment pipelines to ensure the patched version is in use. This event serves as a stark reminder of the latent risks in open-source dependencies and the vital role of coordinated vulnerability disclosure in the software ecosystem.