Martin Adámek

#34319of 53,633
7.6Total CVSS
Vulnerabilities · 1
PT-2026-39290
7.6
2026-05-08
Npm · @Mikro-Orm/Knex · CVE-2026-44680
**Name of the Vulnerable Software and Affected Versions** @mikro-orm/knex versions prior to 6.6.14 @mikro-orm/sql versions prior to 7.0.14 **Description** MikroORM's identifier-quoting helper (`Platform.quoteIdentifier` and postgres/mssql overrides) and its JSON-path emitters (`Platform.getSearchJsonPropertyKey`, `quoteJsonKey`) fail to properly escape characters that delimit the SQL identifier or string-literal context. This allows an attacker to break out of the quoted context and inject arbitrary SQL when application code passes attacker-influenced strings to public ORM APIs expecting an identifier or a JSON-property filter. This affects all supported SQL dialects, though the MongoDB driver is not affected. Technical details include vulnerabilities in the following areas: - Multi-tenant `schema` option: used in `em.fork({ schema })`, `qb.withSchema(name)`, `wrap(entity).setSchema(name)`, and `em.create(Cls, data, { schema })` where the `schema` variable is concatenated into the SQL identifier without escaping the dialect quote character. - JSON-property filters in `em.find` and `qb.where`: user-supplied JSON sub-keys in `em.find(Entity, { jsonCol: { [userKey]: value } })` are spliced into the SQL string literal of the JSON path expression without escaping. - Keys in `qb.where`, `qb.orderBy`, `qb.groupBy`, `qb.having`, and `qb.select`: keys containing `.` or `::` bypass the structured-where metadata validator in `CriteriaNode` and are processed by the flawed `quoteIdentifier` function. **Recommendations** Upgrade @mikro-orm/knex to version 6.6.14 or later. Upgrade @mikro-orm/sql to version 7.0.14 or later. For multi-tenant applications using `em.fork({ schema })`, `wrap().setSchema()`, or `qb.withSchema()`, validate the schema name against a strict allowlist (e.g., `^[A-Za-z ][w$]*$`) before passing it to the ORM. For applications passing `where` or `orderBy` filters from request input, validate every key against the entity's known properties and block keys containing `.` or `::` from user input. For applications allowing filtering on JSON columns from request input, validate every JSON sub-key against an allowlist (e.g., `^[a-zA-Z ][w]*$`) before passing it to `em.find`.