2 Million Monthly Users at Risk: Critical 9.3 CVSS SQL Injection Hits MikroORM in “Duck-Typed” Disaster

A critical vulnerability has been identified in MikroORM, a widely used TypeScript Object-Relational Mapper (ORM) for Node.js. With over 2 million downloads every month, the impact of this flaw could be felt across a vast ecosystem of modern web applications.

The vulnerability, tracked as CVE-2026-34220, carries a CVSSv4 score of 9.3, signaling an urgent need for developers to patch their systems.

The issue lies in how MikroORM versions 6.6.9 and below, as well as 7.0.5 and below, interpret data passed to its query construction APIs. Researchers found that the ORM was susceptible to SQL injection when “specially crafted objects are interpreted as raw SQL query fragments”.

Technically, the vulnerability was rooted in “duck-typed detection of internal ORM marker properties”. Essentially, if a malicious user could mimic the structure of an internal ORM object, they could trick the system into executing their own raw SQL code.

The danger is highest for applications that take user-controlled input and pass it directly into MikroORM’s write APIs without rigorous filtering. Specifically, the following common patterns are affected:

• Using wrap(entity).assign(userInput) followed by em.flush().
• Direct calls to em.nativeUpdate() or em.nativeInsert().
• Creating new entities via em.create() and flushing them to the database.

However, there is a silver lining for some: “Applications that validate input types or enforce strict schema validation… are not affected”.

To address the root cause, MikroORM’s maintainers have overhauled how the library identifies internal markers. The fix replaces the easily-mimicked “duck-typed” checks with “symbol-based markers that cannot be reproduced by user input”.

Developers are urged to update to the following patched versions immediately:

• 6.6.10
• 7.0.6