GHSA-gwhv-j974-6fxm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-gwhv-j974-6fxm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-gwhv-j974-6fxm/GHSA-gwhv-j974-6fxm.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-gwhv-j974-6fxm
- Aliases
- Published
- 2026-03-29T15:44:04Z
- Modified
- 2026-03-31T19:04:13.281993Z
- Severity
-
- 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- MikroORM is vulnerable to SQL Injection via specially crafted object
- Details
-
Summary
MikroORM versions <= 6.6.9 and <= 7.0.5 are vulnerable to SQL injection when specially crafted objects are interpreted as raw SQL query fragments.
Impact
If user-controlled input is passed directly to MikroORM query construction APIs, an attacker may inject raw SQL fragments. This can lead to SQL injection depending on the database and query being executed.
Affected usage
The issue occurs when untrusted objects are passed to ORM write APIs such as:
wrap(entity).assign(userInput)followed byem.flush()em.nativeUpdate()em.nativeInsert()em.create()followed byem.flush()
Applications that validate input types or enforce strict schema validation before passing data to MikroORM are not affected.
Fix
The vulnerability was caused by duck-typed detection of internal ORM marker properties.
The fix replaces these checks with symbol-based markers that cannot be reproduced by user input.
- Database specific
{ "github_reviewed": true, "nvd_published_at": "2026-03-31T16:16:32Z", "cwe_ids": [ "CWE-89" ], "github_reviewed_at": "2026-03-29T15:44:04Z", "severity": "CRITICAL" }- References
Affected packages
npm / @mikro-orm/core
Package
- Name
- @mikro-orm/core
- View open source insights on deps.dev
- Purl
- pkg:npm/%40mikro-orm/core
npm / @mikro-orm/core
Package
- Name
- @mikro-orm/core
- View open source insights on deps.dev
- Purl
- pkg:npm/%40mikro-orm/core