CVE-2026-34221

CRITICAL

MikroORM has Prototype Pollution in Utils.merge

Title source: cna

Description

MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, a prototype pollution vulnerability exists in the Utils.merge helper used internally by MikroORM when merging object structures. The function did not prevent special keys such as __proto__, constructor, or prototype, allowing attacker-controlled input to modify the JavaScript object prototype when merged. This issue has been patched in versions 6.6.10 and 7.0.6.

References (1)

[X_Refsource_Confirm] https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-qpfv-44f3-qqx6

Scores

CVSS v3 9.1

EPSS 0.0013

EPSS Percentile 32.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1321

Status published

Products (4)

mikro-orm/core 0 - 6.6.10npm

mikro-orm/mikro-orm < 6.6.10

mikro-orm/mikro-orm >= 7.0.0-rc.0, < 7.0.6

mikro-orm/mikroorm < 6.6.10

Published Mar 31, 2026

Tracked Since Mar 31, 2026