Description
MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, a prototype pollution vulnerability exists in the Utils.merge helper used internally by MikroORM when merging object structures. The function did not prevent special keys such as __proto__, constructor, or prototype, allowing attacker-controlled input to modify the JavaScript object prototype when merged. This issue has been patched in versions 6.6.10 and 7.0.6.
Published: 2026-03-31
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Prototype pollution leading to possible arbitrary property injection and downstream code execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in MikroORM’s Utils.merge helper, which historically accepts objects without sanitizing special keys such as __proto__, constructor, or prototype. This omission permits an attacker to inject those keys into the merge process, thereby altering the JavaScript object prototype chain. The result can be unpredictable behavior, modification of prototype methods, and in some contexts escalation to arbitrary code execution. The weakness is identified as CWE‑1321, a prototype pollution flaw.

Affected Systems

Vendors and products affected are the MikroORM TypeScript Object‑Relational Mapping library released by mikro‑orm under the product name "MikroORM". All versions preceding 6.6.10 of the 6.x series and 7.0.6 of the 7.x series are vulnerable; users of these releases should review their dependency graph for the presence of MikroORM.

Risk and Exploitability

The CVSS score of 8.3 reflects the high severity of prototype injection, particularly in environments where MikroORM processes untrusted input. EPSS indicates a low probability of exploitation (<1%), and the flaw is not listed in CISA’s KEV catalog, suggesting no widespread public exploits yet. However, the vulnerability can be leveraged remotely wherever an application exposes an API or interface that triggers Utils.merge with user‑controlled data. Successful exploitation would require an attacker to supply crafted input that merges into application objects, with potential cascading effects depending on how MikroORM interacts with the rest of the code.

Generated by OpenCVE AI on April 3, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MikroORM to version 6.6.10 or newer, or 7.0.6 or newer, where the merge function now filters prohibited keys.
  • If an upgrade is not immediately possible, validate or sanitize input objects before passing them to Utils.merge, ensuring keys like __proto__, constructor, and prototype are removed or ignored.
  • Monitor application logs for anomalous prototype modifications or errors that may indicate attempted exploitation.
  • Apply general defensive coding practices for JavaScript applications, such as using Object.freeze to protect critical objects and restricting the namespaces used for runtime configuration.

Generated by OpenCVE AI on April 3, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qpfv-44f3-qqx6 MikroORM has Prototype Pollution in Utils.merge
History

Fri, 03 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mikro-orm mikroorm
CPEs cpe:2.3:a:mikro-orm:mikroorm:*:*:*:*:*:node.js:*:*
Vendors & Products Mikro-orm mikroorm
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Mikro-orm
Mikro-orm mikro-orm
Vendors & Products Mikro-orm
Mikro-orm mikro-orm

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, a prototype pollution vulnerability exists in the Utils.merge helper used internally by MikroORM when merging object structures. The function did not prevent special keys such as __proto__, constructor, or prototype, allowing attacker-controlled input to modify the JavaScript object prototype when merged. This issue has been patched in versions 6.6.10 and 7.0.6.
Title MikroORM has Prototype Pollution in Utils.merge
Weaknesses CWE-1321
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L'}

Subscriptions

Mikro-orm Mikro-orm Mikroorm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T18:52:43.939Z

Reserved: 2026-03-26T15:57:52.324Z

Link: CVE-2026-34221

cve-icon Vulnrichment

Updated: 2026-03-31T18:50:18.969Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T16:16:32.293

Modified: 2026-04-03T15:13:26.167

Link: CVE-2026-34221

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:17:39Z

Weaknesses