MikroORM Prototype Pollution Vulnerability in Object Merging Utility

A prototype pollution vulnerability has been identified in MikroORM, a TypeScript ORM for Node.js. This issue affects versions 6.6.9 and prior, as well as 7.x through 7.0.5. The vulnerability arises in the 'Utils.merge' helper, which is used internally by MikroORM to merge object structures. The function fails to sanitize special keys like '__proto__', 'constructor', and 'prototype', allowing attacker-controlled input to alter the JavaScript object prototype during the merge process. Exploitation of this vulnerability requires application code to pass untrusted user input into ORM operations that merge objects, such as assigning entity properties or constructing query conditions. The prototype pollution could lead to a denial-of-service condition or cause unexpected application behavior. In some cases, the polluted properties might affect query construction and potentially allow for SQL injection, depending on the application's code.

Impact

Exploitation of this vulnerability can cause prototype pollution, leading to a denial-of-service condition or unexpected application behavior. In certain scenarios, the pollution could influence query construction and result in SQL injection, depending on the application's code.

Remediation

Users can upgrade to MikroORM versions 6.6.10 or 7.0.6 to address this vulnerability.