CVE-2024-21508
CRITICALmysql2 < 3.9.4 - Remote Code Execution via readCodeFor Function
Title source: llmDescription
Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
References (6)
Core 6
Core References
Various Sources
https://blog.slonser.info/posts/mysql2-attacker-configuration/
Various Sources
https://github.com/sidorares/node-mysql2/blob/1609b5393516d72a4ae47196837317fbe75e0c13/lib/parsers/text_parser.js%23L14C10-L14C21
Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591085
Issue Tracking
https://github.com/sidorares/node-mysql2/pull/2572
Scores
CVSS v3
9.8
EPSS
0.4619
EPSS Percentile
97.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (2)
n/a/mysql2
< 3.9.4
npm/mysql2
0 - 3.9.4npm
Published
Apr 11, 2024
Tracked Since
Feb 18, 2026