Listen to this Post
The vulnerability exists in two core SQL-building utilities. First, the `Platform.quoteIdentifier` helper fails to escape the database’s own quote character (backtick, double quote, or right bracket) when it appears inside an identifier. Second, the JSON-path emitters `getSearchJsonPropertyKey` and `quoteJsonKey` do not escape delimiters in string literals. When an application passes an attacker-influenced string to any API that expects a schema name, a JSON-property filter, or a query key — such as em.fork({ schema }), em.find({ jsonCol: {
: value } })</code>, or `qb.orderBy` — the attacker can break out of the quoted context. By injecting malicious SQL, they can alter the query's structure. The bug is present in all SQL dialects because the dialect-specific quote character is not doubled. The JSON-path bug exists in all dialects' JSON-path generators. MongoDB driver is not affected. The issue is patched in versions 6.6.14 and 7.0.14. Workarounds include validating schema names against an allowlist and never passing raw user input to <code>orderBy</code>, <code>groupBy</code>, or JSON-path filters. Platform: Node.js Version: <=6.6.13, <=7.0.13 Vulnerability : SQL Injection Severity: Critical date: 2026-05-08 <h2 style="color: blue;">Prediction: 2026-05-04</h2> <h2 style="color: blue;">What Undercode Say:</h2> <h2 style="color: blue;">Analytics under heading What Undercode Say:</h2> Showing bash commands and codes related to the blog and another headings how Exploit: [bash] Check for vulnerable versions in your project npm list @mikro-orm/core | grep -E '@mikro-orm/core@(6.[0-5].|7.0.[0-9]|6.6.[0-9]|7.0.[0-9][0-9]?)' || echo "Version seems safe"
// Malicious payload to exploit the identifier-quoting flaw
const payload = {
username: "admin<code>; DROP TABLE users; -- "
};
await em.nativeUpdate(User, { id: 1 }, payload);
<h2 style="color: blue;">How Exploit:</h2>
An attacker supplies a crafted schema name or JSON key containing the dialect's quote character and additional SQL. For example, a schema name like“myschema; DELETE FROM tenants; --" breaks out of the identifier quoting and executes arbitrary statements.
Protection from this CVE
Upgrade to MikroORM version 6.6.14 or 7.0.14 immediately. If upgrade is not possible, strictly validate all schema names and JSON-path keys against an allowlist (e.g., ^[A-Za-z_][\w$]$) and never pass raw user input to orderBy, groupBy, or JSON-path filters.
Impact
Successful exploitation allows reading arbitrary tables (cross-tenant data leak), executing additional SQL statements on MSSQL/MySQL (data modification, privilege escalation), and dropping or truncating tables, depending on database user privileges.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
