The vulnerability stems from unescaped user input in LIMIT/OFFSET clauses. The commit diff shows critical changes where limit/offset parameters were wrapped in escape() calls across multiple dialects' query generators. The affected functions directly interpolated user-controlled values into SQL fragments without proper sanitization, particularly in the abstract base implementation and dialect-specific implementations for MSSQL, PostgreSQL, and SQLite. The added test cases in offset-limit.test.js verify proper escaping of malicious values, confirming these were the vulnerable points.