MikroORM has SQL injection via runtime-controlled identifiers and JSON-path keys

説明

Summary

MikroORM's identifier-quoting helper (Platform.quoteIdentifier and the postgres/mssql overrides) and its JSON-path emitters (Platform.getSearchJsonPropertyKey, quoteJsonKey) did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When application code passes attacker-influenced strings to public ORM APIs that expect an identifier or a JSON-property filter, an attacker can break out of the quoted context and inject arbitrary SQL.

Affected APIs

The vulnerability is reachable when application code passes an attacker-influenced string to any of the following documented APIs:

  • Multi-tenant schema optionem.fork({ schema }), qb.withSchema(name), wrap(entity).setSchema(name), em.create(Cls, data, { schema }). The schema name is concatenated into the SQL identifier and never had its dialect quote character escaped.
  • em.find / qb.where JSON-property filtersem.find(Entity, { jsonCol: { [userKey]: value } }). The user-supplied JSON sub-keys cannot be validated against any metadata (JSON columns are schemaless by design), and were spliced into the SQL string literal of the JSON path expression without escaping.
  • qb.where / qb.orderBy / qb.groupBy / qb.having / qb.select keys — keys containing . or :: bypassed the structured-where metadata validator in CriteriaNode, then flowed through the same broken quoteIdentifier. Apps that forwarded raw filter keys from request input were already broken on authorization grounds (e.g. { isAdmin: true }); the SQL injection here is a defence-in-depth failure on top of that.

The vulnerability does not affect documented escape-hatch APIs (raw(), the sql tagged template, qb.raw(), em.raw()) — those are documented as accepting raw SQL and are the application's responsibility to sanitize.

Impact

  • Confidentiality — read from any table/schema the database user has access to (cross-tenant data leak in multi-tenant deployments).
  • Integrity — on dialects supporting multi-statement queries (MSSQL, MySQL with multi-statement enabled), execute additional arbitrary SQL statements (data modification, in-database privilege escalation).
  • Availability — DROP/TRUNCATE via injected statements where the database user has the privilege.

Affected dialects

All SQL dialects supported by MikroORM. The identifier-quoting bug exists in every dialect's quoteIdentifier (the dialect's own quote character — backtick, double quote, or right bracket — was not doubled when embedded in the identifier). The JSON-path bug exists in all dialects' getSearchJsonPropertyKey/quoteJsonKey.

MongoDB driver is not affected (no SQL).

Patches

  • v7: upgrade to 7.0.14 or later.
  • v6: upgrade to 6.6.14 or later.

Patches:
* Identifier quoting: #7653 (master) / #7654 (6.x)
* JSON-path keys: #7656 (master) / #7657 (6.x)

Workarounds

If users cannot upgrade immediately:

  • For multi-tenant apps using em.fork({ schema }) / wrap().setSchema() / qb.withSchema(): validate the schema name against a strict allowlist (e.g. ^[A-Za-z_][\w$]*$) before passing it to MikroORM.
  • For applications that pass where / orderBy filters from request input: validate every key against the entity's known properties before constructing the filter; do not pass keys containing . or :: from user input.
  • For applications that allow filtering on JSON columns from request input: validate every JSON sub-key against an allowlist (or against ^[a-zA-Z_][\w]*$) before passing it to em.find.

Credits

Reported and patched by Martin Adámek (project maintainer) during an internal security review.

基本情報

タイプ
reviewed
深刻度
high
GitHub 上のアドバイザリ
アドバイザリを開く ↗
リポジトリのアドバイザリ
リポジトリのアドバイザリを開く ↗
ソースコード
ソースを見る ↗
公開(アドバイザリ)
2026-05-08 19:17:45 UTC
更新
2026-06-08 23:27:30 UTC
GitHub レビュー済み
2026-05-08 19:17:45 UTC
NVD で公開
2026-05-26

EPSS Score

Score Percentile
0.78% 74.05%

CVSS Scores

Base score Version Severity Vector
7.6 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L クリックして展開
攻撃ベクター (AV:N)
インターネットなど、ルーティングされたネットワーク越しに遠隔から悪用しうる。端末の前にいる必要はない。
攻撃の複雑さ (AC:L)
攻撃者が条件を満たせば、レース条件や珍しい構成に依存せずに再現しやすい。
必要な権限 (PR:L)
一般ユーザー権限があれば足り、管理者(root 相当)は不要。
ユーザーの関与 (UI:N)
メールのリンクを開く、マクロを有効にするなど、被害者の協力がなくても成立しうる。
スコープ (S:U)
影響は脆弱コンポーネントと同一のセキュリティ権限・信頼境界の内側に収まる。
機密性への影響 (C:H)
広範な機微データの読み取りや持ち出しが現実的。
完全性への影響 (I:L)
レコードの一部書き換えや設定の歪みなど、限定的だが検知・復旧が必要な水準。
可用性への影響 (A:L)
遅延や一部機能の停止、断続的な障害など、運用で吸収しうる範囲。

Identifiers

CWEs

CWE id Name
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Affected packages (2)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm @mikro-orm/sql <= 7.0.13 7.0.14
npm @mikro-orm/knex <= 6.6.13 6.6.14

References

cvelogic Threat Intelligence