Drizzle ORM 0.45.2 Patches Critical SQL Injection Vulnerability (CWE-89)

A critical security vulnerability has been patched in the widely-used Drizzle ORM library. The patch, released in version 0.45.2, addresses a SQL injection flaw (CWE-89) within the `sql.identifier()` and `sql.as()` functions. The vulnerability stemmed from improper escaping of values passed to these functions, potentially allowing attackers to execute arbitrary SQL commands on affected applications. This type of flaw is a primary vector for data breaches and unauthorized database access.

The issue was identified and reported by external security researchers EthanKim88, 0x90sh, and wgoodall01, who provided the Drizzle team with a reproduction case and a suggested fix. The team's prompt response and the researchers' coordinated disclosure highlight the critical nature of the vulnerability. The fix, detailed in commit 273c780, resolves the escaping logic to prevent injection attacks. This update is not a feature addition but an essential security patch, making immediate upgrading from version 0.45.1 a high-priority action for all dependent projects.

The discovery underscores the persistent security risks within foundational software dependencies. For development teams using Drizzle ORM, this patch is non-negotiable. Failure to update leaves applications exposed to a well-documented and exploitable security weakness. The incident serves as a stark reminder for organizations to implement robust dependency monitoring and to treat all patches for Common Weakness Enumeration (CWE) vulnerabilities with utmost urgency to mitigate operational and data integrity risks.