CVE-2024-21509 – mysql2

Package

Manager: npm
Name: mysql2
Vulnerable Version: >=0 <3.9.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00585 pctl0.68079

Details

mysql2 vulnerable to Prototype Poisoning Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through `parserFn` in `text_parser.js` and `binary_parser.js`.

Metadata

Created: 2024-04-10T15:30:39Z
Modified: 2024-08-22T16:17:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-49j4-86m8-q2jw/GHSA-49j4-86m8-q2jw.json
CWE IDs: ["CWE-1321"]
Alternative ID: GHSA-49j4-86m8-q2jw
Finding: F390
Auto approve: 1