Drizzle ORM Security Patch: CVE-2026-39356 Fixes Critical SQL Identifier Escaping Flaw

A critical security vulnerability in the popular Drizzle ORM library has been patched, forcing developers to urgently update their dependencies. The flaw, tracked as CVE-2026-39356, stemmed from improper escaping of quoted SQL identifiers within the library's dialect-specific `escapeName()` functions. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks, creating a potential vector for SQL injection attacks.

The vulnerability was addressed in version 0.45.2 of the `drizzle-orm` package. The update, flagged as a security fix, changes the version from 0.45.1 to 0.45.2. This patch is not a routine feature update but a mandatory security remediation. The flaw's presence in core escaping logic means any application using the ORM to construct queries with user-controlled or dynamic table or column names could be at risk, depending on the database dialect in use.

The disclosure via a GitHub security advisory and the rapid release of a patch underscores the persistent security pressures in the open-source software supply chain. While the immediate risk is mitigated by applying the update, this incident highlights the critical, often overlooked, role of ORM and database abstraction layers in application security. Projects relying on Drizzle ORM must prioritize this update to close the vulnerability before it can be exploited.