Skip to main content

CVE-2026-34220

CRITICAL
SQL Injection (CWE-89)
2026-03-29 https://github.com/mikro-orm/mikro-orm GHSA-gwhv-j974-6fxm
9.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 29, 2026 - 16:00 vuln.today
CVE Published
Mar 29, 2026 - 15:44 nvd
CRITICAL 9.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on @mikro-orm/core (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 7.0.0-dev.0.

DescriptionGitHub Advisory

Summary

MikroORM versions <= 6.6.9 and <= 7.0.5 are vulnerable to SQL injection when specially crafted objects are interpreted as raw SQL query fragments.

Impact

If user-controlled input is passed directly to MikroORM query construction APIs, an attacker may inject raw SQL fragments. This can lead to SQL injection depending on the database and query being executed.

Affected usage

The issue occurs when untrusted objects are passed to ORM write APIs such as:

  • wrap(entity).assign(userInput) followed by em.flush()
  • em.nativeUpdate()
  • em.nativeInsert()
  • em.create() followed by em.flush()

Applications that validate input types or enforce strict schema validation before passing data to MikroORM are not affected.

Fix

The vulnerability was caused by duck-typed detection of internal ORM marker properties.

The fix replaces these checks with symbol-based markers that cannot be reproduced by user input.

AnalysisAI

SQL injection in MikroORM JavaScript ORM (versions ≤6.6.9 and ≤7.0.5) allows attackers to execute arbitrary SQL commands when specially crafted user-controlled objects are passed to query construction APIs. The vulnerability stems from duck-typed detection of internal ORM markers that attackers can replicate in malicious input objects. Applications passing unsanitized user input directly to write APIs like wrap().assign(), em.nativeUpdate(), em.nativeInsert(), or em.create() are exploitable. No public exploit identified at time of analysis, though the attack technique is straightforward for environments accepting untrusted JSON/object input.

Technical ContextAI

MikroORM is a TypeScript ORM for Node.js supporting multiple SQL databases (PostgreSQL, MySQL, SQLite, MongoDB). The vulnerability (CWE-89: SQL Injection) occurs in the query construction layer where the ORM previously used duck-typing to identify internal query fragments through object property patterns. Attackers could craft JavaScript objects mimicking these internal marker properties, causing the ORM to misinterpret user data as raw SQL fragments. The affected package is @mikro-orm/core (pkg:npm/@mikro-orm_core). This architectural flaw affects write operations that merge untrusted object properties into database queries, particularly the entity assignment and native query APIs that dynamically construct SQL from JavaScript object structures.

RemediationAI

Upgrade to MikroORM version 6.6.10 or later for the 6.x release line, or version 7.0.6 or later for the 7.x release line, which implement symbol-based internal markers that cannot be reproduced through user input. The patched versions are available via npm package manager. As an immediate workaround for applications unable to upgrade immediately, implement strict input validation and type checking before passing any user-controlled data to MikroORM write APIs including wrap().assign(), em.nativeUpdate(), em.nativeInsert(), and em.create(). Use TypeScript interfaces with runtime validation libraries like class-validator or zod to enforce expected object structures and reject objects containing unexpected properties. Avoid passing raw request bodies or unsanitized JSON directly to ORM methods. Review all code paths where user input flows to the affected APIs and ensure schema validation occurs before ORM interaction. Detailed advisory and patch information: https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-gwhv-j974-6fxm.

Share

CVE-2026-34220 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy