CVE-2026-34220
CRITICALSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Blast Radius
ecosystem impact- 1 npm packages depend on @mikro-orm/core (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 7.0.0-dev.0.
DescriptionGitHub Advisory
Summary
MikroORM versions <= 6.6.9 and <= 7.0.5 are vulnerable to SQL injection when specially crafted objects are interpreted as raw SQL query fragments.
Impact
If user-controlled input is passed directly to MikroORM query construction APIs, an attacker may inject raw SQL fragments. This can lead to SQL injection depending on the database and query being executed.
Affected usage
The issue occurs when untrusted objects are passed to ORM write APIs such as:
wrap(entity).assign(userInput)followed byem.flush()em.nativeUpdate()em.nativeInsert()em.create()followed byem.flush()
Applications that validate input types or enforce strict schema validation before passing data to MikroORM are not affected.
Fix
The vulnerability was caused by duck-typed detection of internal ORM marker properties.
The fix replaces these checks with symbol-based markers that cannot be reproduced by user input.
AnalysisAI
SQL injection in MikroORM JavaScript ORM (versions ≤6.6.9 and ≤7.0.5) allows attackers to execute arbitrary SQL commands when specially crafted user-controlled objects are passed to query construction APIs. The vulnerability stems from duck-typed detection of internal ORM markers that attackers can replicate in malicious input objects. Applications passing unsanitized user input directly to write APIs like wrap().assign(), em.nativeUpdate(), em.nativeInsert(), or em.create() are exploitable. No public exploit identified at time of analysis, though the attack technique is straightforward for environments accepting untrusted JSON/object input.
Technical ContextAI
MikroORM is a TypeScript ORM for Node.js supporting multiple SQL databases (PostgreSQL, MySQL, SQLite, MongoDB). The vulnerability (CWE-89: SQL Injection) occurs in the query construction layer where the ORM previously used duck-typing to identify internal query fragments through object property patterns. Attackers could craft JavaScript objects mimicking these internal marker properties, causing the ORM to misinterpret user data as raw SQL fragments. The affected package is @mikro-orm/core (pkg:npm/@mikro-orm_core). This architectural flaw affects write operations that merge untrusted object properties into database queries, particularly the entity assignment and native query APIs that dynamically construct SQL from JavaScript object structures.
RemediationAI
Upgrade to MikroORM version 6.6.10 or later for the 6.x release line, or version 7.0.6 or later for the 7.x release line, which implement symbol-based internal markers that cannot be reproduced through user input. The patched versions are available via npm package manager. As an immediate workaround for applications unable to upgrade immediately, implement strict input validation and type checking before passing any user-controlled data to MikroORM write APIs including wrap().assign(), em.nativeUpdate(), em.nativeInsert(), and em.create(). Use TypeScript interfaces with runtime validation libraries like class-validator or zod to enforce expected object structures and reject objects containing unexpected properties. Avoid passing raw request bodies or unsanitized JSON directly to ORM methods. Review all code paths where user input flows to the affected APIs and ensure schema validation occurs before ORM interaction. Detailed advisory and patch information: https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-gwhv-j974-6fxm.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-gwhv-j974-6fxm