CVE-2026-34221
Received Received - Intake
Prototype Pollution in MikroORM Utils.merge Risks Object Integrity

Publication date: 2026-03-31

Last updated on: 2026-04-03

Assigner: GitHub, Inc.

Description
MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, a prototype pollution vulnerability exists in the Utils.merge helper used internally by MikroORM when merging object structures. The function did not prevent special keys such as __proto__, constructor, or prototype, allowing attacker-controlled input to modify the JavaScript object prototype when merged. This issue has been patched in versions 6.6.10 and 7.0.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-03
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34221
EUVD
EUVD-2026-17488
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mikro-orm mikroorm to 6.6.10 (exc)
mikro-orm mikroorm From 7.0.0 (inc) to 7.0.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how the prototype pollution vulnerability in MikroORM directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-34221 is a prototype pollution vulnerability in the Utils.merge helper function used internally by MikroORM, a TypeScript ORM for Node.js.

The vulnerability occurs because the merge function does not prevent merging of special JavaScript keys such as __proto__, constructor, or prototype. This allows attacker-controlled input to modify the JavaScript object prototype when merging object structures.

Exploitation requires that untrusted user input is passed into MikroORM operations that perform merges, such as entity property assignments or query condition constructions.

Impact Analysis

This vulnerability can lead to denial of service or unexpected application behavior by modifying the prototype of JavaScript objects.

In some cases, polluted prototype properties may influence query construction, potentially enabling SQL injection depending on the application’s code.

Detection Guidance

This vulnerability can be detected by identifying if your system is running vulnerable versions of the @mikro-orm/core package, specifically versions up to 6.6.9 and 7.x up to 7.0.5.

You can check the installed version of @mikro-orm/core in your Node.js project by running the following command in your project directory:

  • npm list @mikro-orm/core

If the version is within the vulnerable range, your system is potentially affected. Additionally, review your application code for usage of MikroORM operations that merge untrusted user input, such as entity property assignments or query condition constructions.

Mitigation Strategies

The immediate mitigation step is to upgrade the @mikro-orm/core package to a patched version. Specifically, update to version 6.6.10 or later, or 7.0.6 or later.

Additionally, avoid passing untrusted user input directly into MikroORM operations that perform object merges, such as entity property assignments or query condition constructions, until the upgrade is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34221. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart