CVE-2024-21512

HIGH

NPM Mysql2 < 3.9.8 - Prototype Pollution

Title source: rule

Description

Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.

References (5)

[Various Sources] https://gist.github.com/domdomi3/e9f0f9b9b1ed6bfbbc0bea87c5ca1e4a

[Third Party Advisory] https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-7176010

[Third Party Advisory] https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6861580

[Patch] https://github.com/sidorares/node-mysql2/commit/efe3db527a2c94a63c2d14045baba8dfefe922bc

View Patch ZIP pw:eip

[Issue Tracking] https://github.com/sidorares/node-mysql2/pull/2702

Scores

CVSS v3 8.2

EPSS 0.6834

EPSS Percentile 98.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-1321

Status published

Products (3)

n/a/mysql2 < 3.9.8

n/a/org.webjars.npm:mysql2

npm/mysql2 0 - 3.9.8npm

Published May 29, 2024

Tracked Since Feb 18, 2026