CVE-2026-34221

Name of the Vulnerable Software and Affected Versions MikroORM versions prior to 6.6.10 MikroORM versions prior to 7.0.6

Description A flaw exists in the Utils.merge helper within MikroORM that does not prevent the use of special keys like proto, constructor, and prototype during object merging. This allows attacker-controlled input to potentially modify the JavaScript object prototype. Exploitation requires application code to pass untrusted user input into ORM operations that merge object structures, such as entity property assignment or query condition construction. Prototype pollution may lead to denial of service or unexpected application behavior. In some cases, polluted properties could influence query construction, potentially resulting in SQL injection depending on the application code.

Recommendations Update to MikroORM version 6.6.10 or later. Update to MikroORM version 7.0.6 or later.