{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34221", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-26T15:57:52.324Z", "datePublished": "2026-03-31T15:17:45.286Z", "dateUpdated": "2026-03-31T18:52:43.939Z"}, "containers": {"cna": {"title": "MikroORM has Prototype Pollution in Utils.merge", "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L", "version": "4.0"}}], "references": [{"name": "https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-qpfv-44f3-qqx6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-qpfv-44f3-qqx6"}], "affected": [{"vendor": "mikro-orm", "product": "mikro-orm", "versions": [{"version": "< 6.6.10", "status": "affected"}, {"version": ">= 7.0.0-rc.0, < 7.0.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T15:17:45.286Z"}, "descriptions": [{"lang": "en", "value": "MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, a prototype pollution vulnerability exists in the Utils.merge helper used internally by MikroORM when merging object structures. The function did not prevent special keys such as __proto__, constructor, or prototype, allowing attacker-controlled input to modify the JavaScript object prototype when merged. This issue has been patched in versions 6.6.10 and 7.0.6."}], "source": {"advisory": "GHSA-qpfv-44f3-qqx6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T18:50:17.961219Z", "id": "CVE-2026-34221", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T18:52:43.939Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34221", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T18:50:17.961219Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T18:50:18.969Z"}}], "cna": {"title": "MikroORM has Prototype Pollution in Utils.merge", "source": {"advisory": "GHSA-qpfv-44f3-qqx6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "mikro-orm", "product": "mikro-orm", "versions": [{"status": "affected", "version": "< 6.6.10"}, {"status": "affected", "version": ">= 7.0.0-rc.0, < 7.0.6"}]}], "references": [{"url": "https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-qpfv-44f3-qqx6", "name": "https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-qpfv-44f3-qqx6", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, a prototype pollution vulnerability exists in the Utils.merge helper used internally by MikroORM when merging object structures. The function did not prevent special keys such as __proto__, constructor, or prototype, allowing attacker-controlled input to modify the JavaScript object prototype when merged. This issue has been patched in versions 6.6.10 and 7.0.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1321", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T15:17:45.286Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34221", "state": "PUBLISHED", "dateUpdated": "2026-03-31T18:52:43.939Z", "dateReserved": "2026-03-26T15:57:52.324Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T15:17:45.286Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mikro-orm:mikroorm:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "0FEF8C0C-0A0A-4580-B601-D588C9E81FB2", "versionEndExcluding": "6.6.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:mikro-orm:mikroorm:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "BC38F0C3-2043-4A5D-9FFF-CA1F7E295BD3", "versionEndExcluding": "7.0.6", "versionStartIncluding": "7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, a prototype pollution vulnerability exists in the Utils.merge helper used internally by MikroORM when merging object structures. The function did not prevent special keys such as __proto__, constructor, or prototype, allowing attacker-controlled input to modify the JavaScript object prototype when merged. This issue has been patched in versions 6.6.10 and 7.0.6."}], "id": "CVE-2026-34221", "lastModified": "2026-04-03T15:13:26.167", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T16:16:32.293", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-qpfv-44f3-qqx6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.6.10)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0-rc.0,7.0.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "mikro-orm", "source": "cna", "vendor": "mikro-orm"}, "product": "mikro-orm", "vendor": "mikro-orm"}], "analysis": {"en": {"generated_at": "2026-04-03T17:24:09.878665+00:00", "value": {"mitigation_remediation": ["Upgrade MikroORM to version 6.6.10 or newer, or 7.0.6 or newer, where the merge function now filters prohibited keys.", "If an upgrade is not immediately possible, validate or sanitize input objects before passing them to Utils.merge, ensuring keys like __proto__, constructor, and prototype are removed or ignored.", "Monitor application logs for anomalous prototype modifications or errors that may indicate attempted exploitation.", "Apply general defensive coding practices for JavaScript applications, such as using Object.freeze to protect critical objects and restricting the namespaces used for runtime configuration."], "summary": {"action": "Immediate Patch", "impact": "Prototype pollution leading to possible arbitrary property injection and downstream code execution"}, "threat_synthesis": {"affected_systems": "Vendors and products affected are the MikroORM TypeScript Object\u2011Relational Mapping library released by mikro\u2011orm under the product name \"MikroORM\". All versions preceding 6.6.10 of the 6.x series and 7.0.6 of the 7.x series are vulnerable; users of these releases should review their dependency graph for the presence of MikroORM.", "description_and_impact": "The vulnerability resides in MikroORM\u2019s Utils.merge helper, which historically accepts objects without sanitizing special keys such as __proto__, constructor, or prototype. This omission permits an attacker to inject those keys into the merge process, thereby altering the JavaScript object prototype chain. The result can be unpredictable behavior, modification of prototype methods, and in some contexts escalation to arbitrary code execution. The weakness is identified as CWE\u20111321, a prototype pollution flaw.", "risk_and_exploitability": "The CVSS score of 8.3 reflects the high severity of prototype injection, particularly in environments where MikroORM processes untrusted input. EPSS indicates a low probability of exploitation (<1%), and the flaw is not listed in CISA\u2019s KEV catalog, suggesting no widespread public exploits yet. However, the vulnerability can be leveraged remotely wherever an application exposes an API or interface that triggers Utils.merge with user\u2011controlled data. Successful exploitation would require an attacker to supply crafted input that merges into application objects, with potential cascading effects depending on how MikroORM interacts with the rest of the code."}}}}, "created": "2026-03-31T19:54:11.710774+00:00", "updated": "2026-04-03T21:17:39.203923+00:00", "vendors": ["mikro-orm", "mikro-orm$PRODUCT$mikro-orm"]}