@mikro-orm/core 6.3.13-dev.8

Direct Vulnerabilities

Known vulnerabilities in the @mikro-orm/core package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Prototype Pollution @mikro-orm/core is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Supports MongoDB, MySQL, PostgreSQL and SQLite databases as well as usage with vanilla JavaScript. Affected versions of this package are vulnerable to Prototype Pollution via the `Utils.merge` function. An attacker can modify the JavaScript object prototype by supplying specially crafted input containing keys such as `__proto__`, `constructor`, or `prototype`, which are not properly filtered during object merging. This can result in denial of service, unexpected application behavior, or, in certain cases, influence query construction and potentially lead to SQL injection, depending on how the application processes merged objects. How to fix Prototype Pollution? Upgrade `@mikro-orm/core` to version 6.6.10-dev.1, 7.0.6-dev.8 or higher.	<6.6.10-dev.1>=7.0.0-dev.0 <7.0.6-dev.8
C SQL Injection @mikro-orm/core is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Supports MongoDB, MySQL, PostgreSQL and SQLite databases as well as usage with vanilla JavaScript. Affected versions of this package are vulnerable to SQL Injection via the interpretation of specially crafted objects as raw SQL query fragments in ORM write APIs such as `wrap(entity).assign(userInput)` followed by `em.flush()`, `em.nativeUpdate()`, `em.nativeInsert()`, or `em.create()` followed by `em.flush()`. An attacker can execute arbitrary SQL commands by supplying malicious input to these APIs. How to fix SQL Injection? Upgrade `@mikro-orm/core` to version 6.6.10-dev.1, 7.0.6-dev.8 or higher.	<6.6.10-dev.1>=7.0.0-dev.0 <7.0.6-dev.8

Vulnerability

Vulnerable Version

Prototype Pollution

@mikro-orm/core is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Supports MongoDB, MySQL, PostgreSQL and SQLite databases as well as usage with vanilla JavaScript.

Affected versions of this package are vulnerable to Prototype Pollution via the Utils.merge function. An attacker can modify the JavaScript object prototype by supplying specially crafted input containing keys such as __proto__, constructor, or prototype, which are not properly filtered during object merging. This can result in denial of service, unexpected application behavior, or, in certain cases, influence query construction and potentially lead to SQL injection, depending on how the application processes merged objects.

How to fix Prototype Pollution?

Upgrade @mikro-orm/core to version 6.6.10-dev.1, 7.0.6-dev.8 or higher.

<6.6.10-dev.1>=7.0.0-dev.0 <7.0.6-dev.8

SQL Injection

Affected versions of this package are vulnerable to SQL Injection via the interpretation of specially crafted objects as raw SQL query fragments in ORM write APIs such as wrap(entity).assign(userInput) followed by em.flush(), em.nativeUpdate(), em.nativeInsert(), or em.create() followed by em.flush(). An attacker can execute arbitrary SQL commands by supplying malicious input to these APIs.

How to fix SQL Injection?

Upgrade @mikro-orm/core to version 6.6.10-dev.1, 7.0.6-dev.8 or higher.

<6.6.10-dev.1>=7.0.0-dev.0 <7.0.6-dev.8

@mikro-orm/core@6.3.13-dev.8

TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Supports MongoDB, MySQL, PostgreSQL and SQLite databases as well as usage with vanilla JavaScript.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically