GHSA-GWHV-J974-6FXM

Vulnerability from github – Published: 2026-03-29 15:44 – Updated: 2026-03-31 18:55
VLAI?
Summary
MikroORM is vulnerable to SQL Injection via specially crafted object
Details

Summary

MikroORM versions <= 6.6.9 and <= 7.0.5 are vulnerable to SQL injection when specially crafted objects are interpreted as raw SQL query fragments.

Impact

If user-controlled input is passed directly to MikroORM query construction APIs, an attacker may inject raw SQL fragments. This can lead to SQL injection depending on the database and query being executed.

Affected usage

The issue occurs when untrusted objects are passed to ORM write APIs such as:

  • wrap(entity).assign(userInput) followed by em.flush()
  • em.nativeUpdate()
  • em.nativeInsert()
  • em.create() followed by em.flush()

Applications that validate input types or enforce strict schema validation before passing data to MikroORM are not affected.

Fix

The vulnerability was caused by duck-typed detection of internal ORM marker properties.

The fix replaces these checks with symbol-based markers that cannot be reproduced by user input.

Severity ?
9.3 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@mikro-orm/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.6.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@mikro-orm/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0-dev.0"
            },
            {
              "fixed": "7.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34220"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-29T15:44:04Z",
    "nvd_published_at": "2026-03-31T16:16:32Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nMikroORM versions \u003c= 6.6.9 and \u003c= 7.0.5 are vulnerable to SQL injection when specially crafted objects are interpreted as raw SQL query fragments.\n\n## Impact\n\nIf user-controlled input is passed directly to MikroORM query construction APIs, an attacker may inject raw SQL fragments. This can lead to SQL injection depending on the database and query being executed.\n\n## Affected usage\n\nThe issue occurs when untrusted objects are passed to ORM write APIs such as:\n\n- `wrap(entity).assign(userInput)` followed by `em.flush()`\n- `em.nativeUpdate()`\n- `em.nativeInsert()`\n- `em.create()` followed by `em.flush()`\n\nApplications that validate input types or enforce strict schema validation before passing data to MikroORM are not affected.\n\n## Fix\n\nThe vulnerability was caused by duck-typed detection of internal ORM marker properties.\n\nThe fix replaces these checks with symbol-based markers that cannot be reproduced by user input.",
  "id": "GHSA-gwhv-j974-6fxm",
  "modified": "2026-03-31T18:55:02Z",
  "published": "2026-03-29T15:44:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-gwhv-j974-6fxm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34220"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mikro-orm/mikro-orm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MikroORM is vulnerable to SQL Injection via specially crafted object"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.