Description
MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, a prototype pollution vulnerability exists in the Utils.merge helper used internally by MikroORM when merging object structures. The function did not prevent special keys such as __proto__, constructor, or prototype, allowing attacker-controlled input to modify the JavaScript object prototype when merged. This issue has been patched in versions 6.6.10 and 7.0.6.
Published: 2026-03-31
Score: 8.3 High
EPSS: n/a
KEV: No
Impact: Prototype Pollution that can lead to unauthorized code execution
Action: Immediate Patch
AI Analysis

Impact

MikroORM contains a prototype pollution flaw in the helper function Utils.merge. The function fails to guard against special keys such as __proto__, constructor, or prototype, allowing attacker-controlled input to alter the JavaScript object prototype when merging. This weakness, classified as CWE‑1321, can enable an attacker to inject malicious properties or methods into prototypes, potentially leading to code execution or other unintended behavior.

Affected Systems

The vulnerability affects users of the MikroORM project, specifically versions of mikro-orm before 6.6.10 and before 7.0.6. All Node.js applications that include these older MikroORM releases ingest the impacted code path for database or object handling.

Risk and Exploitability

The flaw carries a high CVSS score of 8.3, indicating significant impact and exploitability. While no EPSS data is available and the vulnerability is not listed in CISA's KEV catalog, the attack vector is likely remote through crafted requests that trigger the merge routine, such as API payloads or user-provided data. Given the lack of mitigation in older releases, a determined adversary could feasibly exploit the prototype pollution to achieve code execution or privilege escalation in the application.

Generated by OpenCVE AI on March 31, 2026 at 17:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MikroORM to version 6.6.10 or newer, or 7.0.6 or newer, depending on your branch
  • Verify that the application has been rebuilt and deployed after the upgrade
  • Review any custom merge logic in your code to ensure the whitelist for special keys is applied
  • Monitor runtime logs for unusual prototype modifications or injection attempts

Generated by OpenCVE AI on March 31, 2026 at 17:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qpfv-44f3-qqx6 MikroORM has Prototype Pollution in Utils.merge
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Mikro-orm
Mikro-orm mikro-orm
Vendors & Products Mikro-orm
Mikro-orm mikro-orm

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, a prototype pollution vulnerability exists in the Utils.merge helper used internally by MikroORM when merging object structures. The function did not prevent special keys such as __proto__, constructor, or prototype, allowing attacker-controlled input to modify the JavaScript object prototype when merged. This issue has been patched in versions 6.6.10 and 7.0.6.
Title MikroORM has Prototype Pollution in Utils.merge
Weaknesses CWE-1321
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L'}

Subscriptions

Mikro-orm Mikro-orm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T18:52:43.939Z

Reserved: 2026-03-26T15:57:52.324Z

Link: CVE-2026-34221

cve-icon Vulnrichment

Updated: 2026-03-31T18:50:18.969Z

cve-icon NVD

Status : Received

Published: 2026-03-31T16:16:32.293

Modified: 2026-03-31T16:16:32.293

Link: CVE-2026-34221

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:38:07Z

Weaknesses