MikroORM, Prototype Pollution, CVE-2023-22728 (High)

Listen to this Post

The vulnerability resides in the `Utils.merge` helper function, which internally performs recursive merging of JavaScript objects. The function lacked safeguards against prototype-pollution special properties (__proto__, constructor, prototype). When attacker-controlled input is passed to any ORM operation that triggers object merging—such as entity property assignment via `em.create()` or query condition construction with `where` clauses—the merge logic blindly copies properties. If the input contains a key like `__proto__` with a nested object, that object is merged into the global Object.prototype. Once the prototype is polluted, all subsequently created objects inherit the injected property. This can cause denial-of-service by overriding existing methods or properties, or lead to unexpected application behavior. In advanced scenarios, if the polluted property is later used in SQL query building (e.g., a property named `where` that becomes a string), it may facilitate SQL injection depending on how the application constructs queries.
Platform: MikroORM
Version: <= 5.6.x
Vulnerability: Prototype Pollution
Severity: High
date: 2023-01-26

Prediction: Already patched

What Undercode Say:

Check installed version
npm list @mikro-orm/core
Verify fix in version 5.7.0+
npm install @mikro-orm/core@^5.7.0
// PoC: pollute prototype via Utils.merge
const { Utils } = require('@mikro-orm/core');
const malicious = JSON.parse('{"<strong>proto</strong>":{"polluted":true}}');
Utils.merge({}, malicious);
console.log({}.polluted); // true

Exploit:

Attacker supplies JSON payload with `__proto__` or `constructor` keys during entity creation or query filtering. Example: `{ “name”: “test”, “__proto__”: { “isAdmin”: true } }` passed to em.create(). The merge function pollutes Object.prototype.isAdmin, affecting all objects.

Protection from this CVE

Upgrade to MikroORM >= 5.7.0. Avoid merging untrusted input with internal helpers. Use `Object.freeze(Object.prototype)` as a temporary mitigation. Sanitize keys by rejecting those matching __proto__, constructor, prototype.

Impact

Remote denial of service, unexpected application logic, and potential SQL injection if polluted properties influence query building. Attackers can alter core object behavior across the application.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top