MikroORM SQL Injection Vulnerability via Unescaped Identifiers and JSON-Path Keys

A SQL injection vulnerability has been identified in MikroORM, a TypeScript ORM for Node.js. This issue affects versions of @mikro-orm/knex through 6.6.13 and @mikro-orm/sql through 7.0.13. The vulnerability arises because the ORM's identifier-quoting helper and JSON-path emitters did not properly escape characters that delimit SQL identifiers or string-literal contexts. As a result, when application code passes attacker-influenced strings to public ORM APIs that expect identifiers or JSON-property filters, an attacker can break out of the quoted context and inject arbitrary SQL. The vulnerability is present in all SQL dialects supported by MikroORM, but the MongoDB driver is not affected.

Impact

Exploitation of this vulnerability allows for arbitrary SQL injection, with potential consequences including unauthorized data access, data modification, privilege escalation, and disruption of database availability through destructive commands.

Remediation

Users can upgrade to @mikro-orm/knex version 6.6.14 or @mikro-orm/sql version 7.0.14. If an immediate upgrade is not possible, multi-tenant applications should validate schema names against a strict allowlist before using them with MikroORM. Applications that pass filter keys from user input should validate those keys against known entity properties and avoid using keys that contain dots or colons. For filtering on JSON columns, validate JSON sub-keys against an allowlist before using them in queries.