Listen to this Post
The vulnerability resides in the `Utils.merge` helper function, which internally performs recursive merging of JavaScript objects. The function lacked safeguards against prototype-pollution special properties (__proto__, constructor, prototype). When attacker-controlled input is passed to any ORM operation that triggers object merging—such as entity property assignment via `em.create()` or query condition construction with `where` clauses—the merge logic blindly copies properties. If the input contains a key like `__proto__` with a nested object, that object is merged into the global Object.prototype. Once the prototype is polluted, all subsequently created objects inherit the injected property. This can cause denial-of-service by overriding existing methods or properties, or lead to unexpected application behavior. In advanced scenarios, if the polluted property is later used in SQL query building (e.g., a property named `where` that becomes a string), it may facilitate SQL injection depending on how the application constructs queries.
Platform: MikroORM
Version: <= 5.6.x
Vulnerability: Prototype Pollution
Severity: High
date: 2023-01-26
Prediction: Already patched
What Undercode Say:
Check installed version npm list @mikro-orm/core Verify fix in version 5.7.0+ npm install @mikro-orm/core@^5.7.0
// PoC: pollute prototype via Utils.merge
const { Utils } = require('@mikro-orm/core');
const malicious = JSON.parse('{"<strong>proto</strong>":{"polluted":true}}');
Utils.merge({}, malicious);
console.log({}.polluted); // true
Exploit:
Attacker supplies JSON payload with `__proto__` or `constructor` keys during entity creation or query filtering. Example: `{ “name”: “test”, “__proto__”: { “isAdmin”: true } }` passed to em.create(). The merge function pollutes Object.prototype.isAdmin, affecting all objects.
Protection from this CVE
Upgrade to MikroORM >= 5.7.0. Avoid merging untrusted input with internal helpers. Use `Object.freeze(Object.prototype)` as a temporary mitigation. Sanitize keys by rejecting those matching __proto__, constructor, prototype.
Impact
Remote denial of service, unexpected application logic, and potential SQL injection if polluted properties influence query building. Attackers can alter core object behavior across the application.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

