CVE-2026-34221
Prototype Pollution in MikroORM Utils.merge Risks Object Integrity
Publication date: 2026-03-31
Last updated on: 2026-04-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mikro-orm | mikroorm | to 6.6.10 (exc) |
| mikro-orm | mikroorm | From 7.0.0 (inc) to 7.0.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34221 is a prototype pollution vulnerability in the Utils.merge helper function used internally by MikroORM, a TypeScript ORM for Node.js.
The vulnerability occurs because the merge function does not prevent merging of special JavaScript keys such as __proto__, constructor, or prototype. This allows attacker-controlled input to modify the JavaScript object prototype when merging object structures.
Exploitation requires that untrusted user input is passed into MikroORM operations that perform merges, such as entity property assignments or query condition constructions.
How can this vulnerability impact me? :
This vulnerability can lead to denial of service or unexpected application behavior by modifying the prototype of JavaScript objects.
In some cases, polluted prototype properties may influence query construction, potentially enabling SQL injection depending on the applicationβs code.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your system is running vulnerable versions of the @mikro-orm/core package, specifically versions up to 6.6.9 and 7.x up to 7.0.5.
You can check the installed version of @mikro-orm/core in your Node.js project by running the following command in your project directory:
- npm list @mikro-orm/core
If the version is within the vulnerable range, your system is potentially affected. Additionally, review your application code for usage of MikroORM operations that merge untrusted user input, such as entity property assignments or query condition constructions.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the @mikro-orm/core package to a patched version. Specifically, update to version 6.6.10 or later, or 7.0.6 or later.
Additionally, avoid passing untrusted user input directly into MikroORM operations that perform object merges, such as entity property assignments or query condition constructions, until the upgrade is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the prototype pollution vulnerability in MikroORM directly affects compliance with common standards and regulations such as GDPR or HIPAA.