chore(deps): update dependency @mikro-orm/core to v6.6.10 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@mikro-orm/core (source)	6.6.7 → 6.6.10

---

MikroORM is vulnerable to SQL Injection via specially crafted object

CVE-2026-34220 / GHSA-gwhv-j974-6fxm

More information

Details

Summary

MikroORM versions <= 6.6.9 and <= 7.0.5 are vulnerable to SQL injection when specially crafted objects are interpreted as raw SQL query fragments.

Impact

If user-controlled input is passed directly to MikroORM query construction APIs, an attacker may inject raw SQL fragments. This can lead to SQL injection depending on the database and query being executed.

Affected usage

The issue occurs when untrusted objects are passed to ORM write APIs such as:

• wrap(entity).assign(userInput) followed by em.flush()
• em.nativeUpdate()
• em.nativeInsert()
• em.create() followed by em.flush()

Applications that validate input types or enforce strict schema validation before passing data to MikroORM are not affected.

Fix

The vulnerability was caused by duck-typed detection of internal ORM marker properties.

The fix replaces these checks with symbol-based markers that cannot be reproduced by user input.

Severity

• CVSS Score: 9.3 / 10 (Critical)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-gwhv-j974-6fxm
• https://nvd.nist.gov/vuln/detail/CVE-2026-34220
• https://github.com/advisories/GHSA-gwhv-j974-6fxm

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

MikroORM has Prototype Pollution in Utils.merge

CVE-2026-34221 / GHSA-qpfv-44f3-qqx6

More information

Details

A prototype pollution vulnerability exists in the Utils.merge helper used internally by MikroORM when merging object structures.

The function did not prevent special keys such as __proto__, constructor, or prototype, allowing attacker-controlled input to modify the JavaScript object prototype when merged.

Exploitation requires application code to pass untrusted user input into ORM operations that merge object structures, such as entity property assignment or query condition construction.

Prototype pollution may lead to denial of service or unexpected application behavior. In certain scenarios, polluted properties may influence query construction and potentially result in SQL injection depending on application code.

Severity

• CVSS Score: 8.3 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L

References

• https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-qpfv-44f3-qqx6
• https://nvd.nist.gov/vuln/detail/CVE-2026-34221
• https://github.com/advisories/GHSA-qpfv-44f3-qqx6

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

mikro-orm/mikro-orm (@​mikro-orm/core)

v6.6.10

Compare Source

Bug Fixes

• core: handle JSON column type conversion in em.refresh() for detached entities (e41b500), closes #​7383
• core: prevent prototype pollution in Utils.merge (06ed5f6)
• core: tighten query construction validation (ad3643e)
• schema: escape single quotes in enum CHECK constraints (#​7397) (db19731), closes #​7396 #​7395

v6.6.9

Compare Source

Bug Fixes

• core: fix findOne with entity refs for composite PKs with shared FK columns (6f95f72), closes #​5629
• core: make entity prototype toJSON non-enumerable to prevent data leaks (c895808)
• core: prevent double JSON-encoding of nested embeddable arrays (309b278), closes #​7233
• migrations: normalize snapshots and write on both up/down (#​7236) (a07aca6), closes #​7234
• migrations: skip snapshot write on migration:up to support read-only filesystems (c8584e8), closes #​7232
• mysql: fix table.bigincrements() producing int instead of bigint (5660607), closes #​7246

v6.6.8

Compare Source

Bug Fixes

• core: allow using property accessor on to-one relations (06978c9), closes #​7211
• core: fix double processing of JSON properties when reloading an entity (514ed87)
• core: preserve embeddable properties in toPOJO regardless of partial loading hints (c27dbae)
• core: preserve function expression indexes through metadata cache round-trip (#​7229) (9ae8d20), closes #​7238
• core: use full hydration in mergeData for initialized entities (5529308), closes #​7205
• knex: handle $not operator inside relation filters (#​7227) (d0dac2f), closes #​7226
• migrations: delete snapshot file after migration:down (dfcc8c6), closes #​7210
• postgres: fix phantom diffs for check constraints (#​7224) (103346c)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.