CVE-2024-21508

CRITICAL

NPM Mysql2 < 3.9.4 - Code Injection

Title source: rule

Description

Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.

Exploits (1)

inthewild

poc

https://github.com/geniorio01/cve-2024-21508-mysql2-rce

View on inthewild

References (6)

[Various Sources] https://blog.slonser.info/posts/mysql2-attacker-configuration/

[Various Sources] https://github.com/sidorares/node-mysql2/blob/1609b5393516d72a4ae47196837317fbe75e0c13/lib/parsers/text_parser.js%23L14C10-L14C21

[Third Party Advisory] https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591085

[Patch] https://github.com/sidorares/node-mysql2/commit/74abf9ef94d76114d9a09415e28b496522a94805

View Patch ZIP pw:eip

[Issue Tracking] https://github.com/sidorares/node-mysql2/pull/2572

[Release Notes] https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4

Scores

CVSS v3 9.8

EPSS 0.3968

EPSS Percentile 97.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (2)

n/a/mysql2 < 3.9.4

npm/mysql2 0 - 3.9.4npm

Published Apr 11, 2024

Tracked Since Feb 18, 2026