CVE-2024-21509: mysql2 vulnerable to Prototype Poisoning
(updated )
Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.
References
- blog.slonser.info/posts/mysql2-attacker-configuration
- github.com/advisories/GHSA-49j4-86m8-q2jw
- github.com/sidorares/node-mysql2
- github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js%23L134
- github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691
- github.com/sidorares/node-mysql2/pull/2574
- github.com/sidorares/node-mysql2/releases/tag/v3.9.4
- nvd.nist.gov/vuln/detail/CVE-2024-21509
- security.snyk.io/vuln/SNYK-JS-MYSQL2-6591084
Code Behaviors & Features
Detect and mitigate CVE-2024-21509 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →