CVE-2024-21512

HIGH

mysql2 < 3.9.8 - Prototype Pollution via nestTables Input

Title source: llm

Description

Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.

References (5)

Core 5

Core References

Various Sources

https://gist.github.com/domdomi3/e9f0f9b9b1ed6bfbbc0bea87c5ca1e4a

Third Party Advisory

https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-7176010

Third Party Advisory

https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6861580

Patch

https://github.com/sidorares/node-mysql2/commit/efe3db527a2c94a63c2d14045baba8dfefe922bc

View Patch ZIP pw:eip

Issue Tracking

https://github.com/sidorares/node-mysql2/pull/2702

Scores

CVSS v3 8.2

EPSS 0.0311

EPSS Percentile 86.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-1321

Status published

Products (3)

n/a/mysql2 < 3.9.8

n/a/org.webjars.npm:mysql2

npm/mysql2 0 - 3.9.8npm

Published May 29, 2024

Tracked Since Feb 18, 2026