CVE-2026-34221

Critical

Published: 31 March 2026

Published

31 March 2026

Modified

03 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0015 34.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, a prototype pollution vulnerability exists in the Utils.merge helper used internally by MikroORM when merging object…

structures. The function did not prevent special keys such as __proto__, constructor, or prototype, allowing attacker-controlled input to modify the JavaScript object prototype when merged. This issue has been patched in versions 6.6.10 and 7.0.6.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and patching of the prototype pollution flaw in MikroORM versions prior to 6.6.10 and 7.0.6 to prevent exploitation.

SI-10 Information Input Validation partial match

prevent

Requires validation of attacker-controlled inputs to block special keys like __proto__, constructor, or prototype that trigger pollution during object merging.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Facilitates vulnerability scanning to identify systems running vulnerable MikroORM versions exposed to this prototype pollution issue.

Security SummaryAI

CVE-2026-34221 is a prototype pollution vulnerability in MikroORM, a TypeScript ORM for Node.js based on Data Mapper, Unit of Work, and Identity Map patterns. The flaw exists in the Utils.merge helper function used internally for merging object structures, which does not block special keys such as __proto__, constructor, or prototype. This allows attacker-controlled input to modify the JavaScript object prototype during merging. The vulnerability affects MikroORM versions prior to 6.6.10 and 7.0.6.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges or user interaction. By supplying crafted input to the merge function, they can pollute the global object prototype, enabling arbitrary code execution or denial-of-service conditions. The issue carries a CVSS 3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and is classified under CWE-1321.

The vulnerability has been addressed in MikroORM versions 6.6.10 and 7.0.6. Additional details on the patch and remediation are available in the GitHub security advisory at https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-qpfv-44f3-qqx6.

Details

CWE(s): CWE-1321

Affected Products

mikro-orm

mikroorm

≤ 6.6.10 · 7.0.0 — 7.0.6

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated remote exploitation of a Node.js ORM library vulnerability in likely public-facing web applications directly enables T1190: Exploit Public-Facing Application, potentially leading to RCE or DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-qpfv-44f3-qqx6
Vendor Advisory · security-advisories@github.com