CVE-2026-34221

EUVD-2026-17488

31.03.2026, 16:16

MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, a prototype pollution vulnerability exists in the Utils.merge helper used internally by MikroORM when merging object structures. The function did not prevent special keys such as __proto__, constructor, or prototype, allowing attacker-controlled input to modify the JavaScript object prototype when merged. This issue has been patched in versions 6.6.10 and 7.0.6.

Prototype Pollution

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.1 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 34%

Affected Products (NVD)

Vendor	Product	Version
mikro-orm	mikroorm	𝑥 < 6.6.10
mikro-orm	mikroorm	7.0.0 ≤ 𝑥 < 7.0.6

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
The software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

References

https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-qpfv-44f3-qqx6