SQL Injection Affecting @mikro-orm/sql package, versions <7.0.14
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-MIKROORMSQL-16624726
- published10 May 2026
- disclosed8 May 2026
- creditMartin Adámek
Introduced: 8 May 2026
NewCVE-2026-44680 (opens in a new tab)How to fix?
Upgrade @mikro-orm/sql to version 7.0.14 or higher.
Overview
@mikro-orm/sql is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Supports MongoDB, MySQL, PostgreSQL and SQLite databases as well as usage with vanilla JavaScript.
Affected versions of this package are vulnerable to SQL Injection via improper escaping in the quoteIdentifier and getSearchJsonPropertyKey functions. An attacker can execute arbitrary SQL commands, read sensitive data, or modify and delete database contents by supplying specially crafted input to APIs that accept identifiers or JSON-path keys.
Workaround
This vulnerability can be mitigated by validating schema names against a strict allowlist before passing them to the relevant APIs, ensuring filter keys from user input match known entity properties, and validating JSON sub-keys against an allowlist or a strict pattern before use.