CVE-2026-34221
MikroORM has Prototype Pollution in Utils.merge
描述
A prototype pollution vulnerability exists in the `Utils.merge` helper used internally by MikroORM when merging object structures. The function did not prevent special keys such as `__proto__`, `constructor`, or `prototype`, allowing attacker-controlled input to modify the JavaScript object prototype when merged. Exploitation requires application code to pass untrusted user input into ORM operations that merge object structures, such as entity property assignment or query condition construction. Prototype pollution may lead to denial of service or unexpected application behavior. In certain scenarios, polluted properties may influence query construction and potentially result in SQL injection depending on application code.
如何修補 CVE-2026-34221
要修補 CVE-2026-34221,請將受影響套件升級到下列已修補版本。
- —升級至 6.6.10 或更新版本
CVE-2026-34221 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 6.6.10
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L |