Prototype Pollution in Mikro-orm

CVE-2026-34221

MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, a prototype pollution vulnerability exists in the Utils.merge helper used internally by MikroORM whe…

Vulnerability class: Prototype Pollution

EPSS: 0.000 (14.7th percentile) — read the EPSS interpretation.

Affected products

Mikro-orm — versions < 6.6.10, >= 7.0.0-rc.0, < 7.0.6

Weakness classification (CWE)

CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)

References

https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-qpfv-44f3-qqx6 (x_refsource_CONFIRM)