MikroORM has SQL injection via runtime-controlled identifiers and JSON-path keys

Description

Summary

MikroORM's identifier-quoting helper (Platform.quoteIdentifier and the postgres/mssql overrides) and its JSON-path emitters (Platform.getSearchJsonPropertyKey, quoteJsonKey) did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When application code passes attacker-influenced strings to public ORM APIs that expect an identifier or a JSON-property filter, an attacker can break out of the quoted context and inject arbitrary SQL.

Affected APIs

The vulnerability is reachable when application code passes an attacker-influenced string to any of the following documented APIs:

  • Multi-tenant schema optionem.fork({ schema }), qb.withSchema(name), wrap(entity).setSchema(name), em.create(Cls, data, { schema }). The schema name is concatenated into the SQL identifier and never had its dialect quote character escaped.
  • em.find / qb.where JSON-property filtersem.find(Entity, { jsonCol: { [userKey]: value } }). The user-supplied JSON sub-keys cannot be validated against any metadata (JSON columns are schemaless by design), and were spliced into the SQL string literal of the JSON path expression without escaping.
  • qb.where / qb.orderBy / qb.groupBy / qb.having / qb.select keys — keys containing . or :: bypassed the structured-where metadata validator in CriteriaNode, then flowed through the same broken quoteIdentifier. Apps that forwarded raw filter keys from request input were already broken on authorization grounds (e.g. { isAdmin: true }); the SQL injection here is a defence-in-depth failure on top of that.

The vulnerability does not affect documented escape-hatch APIs (raw(), the sql tagged template, qb.raw(), em.raw()) — those are documented as accepting raw SQL and are the application's responsibility to sanitize.

Impact

  • Confidentiality — read from any table/schema the database user has access to (cross-tenant data leak in multi-tenant deployments).
  • Integrity — on dialects supporting multi-statement queries (MSSQL, MySQL with multi-statement enabled), execute additional arbitrary SQL statements (data modification, in-database privilege escalation).
  • Availability — DROP/TRUNCATE via injected statements where the database user has the privilege.

Affected dialects

All SQL dialects supported by MikroORM. The identifier-quoting bug exists in every dialect's quoteIdentifier (the dialect's own quote character — backtick, double quote, or right bracket — was not doubled when embedded in the identifier). The JSON-path bug exists in all dialects' getSearchJsonPropertyKey/quoteJsonKey.

MongoDB driver is not affected (no SQL).

Patches

  • v7: upgrade to 7.0.14 or later.
  • v6: upgrade to 6.6.14 or later.

Patches:
* Identifier quoting: #7653 (master) / #7654 (6.x)
* JSON-path keys: #7656 (master) / #7657 (6.x)

Workarounds

If users cannot upgrade immediately:

  • For multi-tenant apps using em.fork({ schema }) / wrap().setSchema() / qb.withSchema(): validate the schema name against a strict allowlist (e.g. ^[A-Za-z_][\w$]*$) before passing it to MikroORM.
  • For applications that pass where / orderBy filters from request input: validate every key against the entity's known properties before constructing the filter; do not pass keys containing . or :: from user input.
  • For applications that allow filtering on JSON columns from request input: validate every JSON sub-key against an allowlist (or against ^[a-zA-Z_][\w]*$) before passing it to em.find.

Credits

Reported and patched by Martin Adámek (project maintainer) during an internal security review.

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-05-08 19:17:45 UTC
Updated
2026-06-08 23:27:30 UTC
GitHub reviewed
2026-05-08 19:17:45 UTC
NVD published
2026-05-26

EPSS Score

Score Percentile
0.78% 74.05%

CVSS Scores

Base score Version Severity Vector
7.6 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:L)
Might cause slowdowns, glitches, or partial disruption—not a full brick.

Identifiers

CWEs

CWE id Name
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Affected packages (2)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm @mikro-orm/sql <= 7.0.13 7.0.14
npm @mikro-orm/knex <= 6.6.13 6.6.14

References

cvelogic Threat Intelligence