CVE-2024-21509

MEDIUM

Sidorares Mysql2 < 3.9.4 - Prototype Pollution

Title source: rule

Description

Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.

References (6)

[Exploit, Permissions Required] https://blog.slonser.info/posts/mysql2-attacker-configuration/

[Broken Link] https://github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js%23L134

[Patch] https://github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691

View Patch ZIP pw:eip

[Exploit, Issue Tracking] https://github.com/sidorares/node-mysql2/pull/2574

[Release Notes] https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4

[Exploit, Third Party Advisory] https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591084

Scores

CVSS v3 6.5

EPSS 0.0076

EPSS Percentile 73.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-1321

Status published

Products (2)

npm/mysql2 0 - 3.9.4npm

sidorares/mysql2 < 3.9.4

Published Apr 10, 2024

Tracked Since Feb 18, 2026