Prototype Pollution Vulnerability in MikroORM for Node.js
CVE-2026-34221

8.3HIGH

Key Information:

Vendor: Mikro-orm
Status: Mikro-orm
Vendor: CVE Published:; 31 March 2026

What is CVE-2026-34221?

MikroORM, a TypeScript Object-Relational Mapping (ORM) library for Node.js, contains a vulnerability that allows prototype pollution through the Utils.merge utility. This occurs in versions prior to 6.6.10 and 7.0.6, where the merging of object structures fails to sanitize special keys such as proto, constructor, or prototype. As a result, attackers can exploit this flaw by introducing malicious input, enabling them to alter the object prototype when merging, potentially leading to severe security issues in applications relying on MikroORM.

Affected Version(s)

mikro-orm < 6.6.10 < 6.6.10

mikro-orm >= 7.0.0-rc.0, < 7.0.6 < 7.0.0-rc.0, 7.0.6

References

https://github.com/mikro-orm/mikro-orm/security/advisorie...

x_refsource_CONFIRM

CVSS V4

Score:

8.3

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 31, 2026
Vulnerability Reserved
Mar 26, 2026

CVE-2026-34221 Data

JSON

Mikro-orm

What is CVE-2026-34221?

Affected Version(s)

References

CVSS V4

Timeline