Kysely SQL Injection Vulnerability (CVE-2026-32763) Exposes Projects Using `Kysely<any>` or Ignoring Compilation Errors

A critical SQL injection vulnerability has been disclosed in the popular TypeScript SQL query builder, Kysely. The flaw, tracked as CVE-2026-32763 (GHSA-wmrf-hv6w-mr66), resides in versions through 0.28.1 and can be exploited via unsanitized JSON path keys. This vulnerability is not a blanket issue but specifically targets two high-risk development patterns: using the `Kysely<any>` type to bypass TypeScript's type safety, or explicitly ignoring/silencing compilation errors. In these scenarios, maliciously crafted JSON path keys can bypass Kysely's parameterization, leading directly to SQL injection.

The vulnerability's mechanism is precise. Kysely's internal compilation process for JSON paths fails to properly sanitize input when the type system's safeguards are circumvented. The advisory from GitHub clearly states that the risk is conditional. Projects that strictly adhere to Kysely's typed interface and do not suppress type errors are not affected. However, any codebase that employs `Kysely<any>` for convenience or uses workarounds to silence the compiler creates a direct attack vector. The update to version 0.28.0+ contains the security fix, and the dependency management bot Renovate has automatically flagged this as a priority update.

This incident serves as a stark reminder of the security trade-offs inherent in developer tooling. While Kysely's design philosophy heavily relies on TypeScript's type system to prevent SQL injection, this vulnerability exposes the cracks that appear when those guardrails are voluntarily removed. The fallout is immediate for affected projects, requiring an urgent upgrade. More broadly, it pressures development teams to audit their code for the use of `any` types or error suppression around database queries, practices often adopted for rapid prototyping but left in production code. The security of countless Node.js and TypeScript backends now hinges on promptly merging this dependency patch.