CVE-2026-34220
MikroORM is vulnerable to SQL Injection via specially crafted object
描述
## Summary MikroORM versions <= 6.6.9 and <= 7.0.5 are vulnerable to SQL injection when specially crafted objects are interpreted as raw SQL query fragments. ## Impact If user-controlled input is passed directly to MikroORM query construction APIs, an attacker may inject raw SQL fragments. This can lead to SQL injection depending on the database and query being executed. ## Affected usage The issue occurs when untrusted objects are passed to ORM write APIs such as: - `wrap(entity).assign(userInput)` followed by `em.flush()` - `em.nativeUpdate()` - `em.nativeInsert()` - `em.create()` followed by `em.flush()` Applications that validate input types or enforce strict schema validation before passing data to MikroORM are not affected. ## Fix The vulnerability was caused by duck-typed detection of internal ORM marker properties. The fix replaces these checks with symbol-based markers that cannot be reproduced by user input.
如何修補 CVE-2026-34220
要修補 CVE-2026-34220,請將受影響套件升級到下列已修補版本。
- —升級至 6.6.10 或更新版本
CVE-2026-34220 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 6.6.10
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |