CVE-2024-21509

medium

Description

Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.

References

https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591084

https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4

https://github.com/sidorares/node-mysql2/pull/2574

https://github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691

https://github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js%23L134

https://blog.slonser.info/posts/mysql2-attacker-configuration/

Details

Source: Mitre, NVD

Published: 2024-04-10

Updated: 2025-06-17

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Severity: Medium

CVSS v4

Base Score: 6.9

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Severity: Medium

EPSS

EPSS: 0.02698

Detections

Analytics

CVE-2024-21509

medium

Description

References

Details

Risk Information

CVSS v2

CVSS v3

CVSS v4

EPSS