CVE-2024-21507
Severity CVSS v4.0:
Pending analysis
Type:
CWE-20
Input Validation
Publication date:
10/04/2024
Last modified:
17/06/2025
Description
Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key.
Impact
Base Score 3.x
6.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:sidorares:mysql2:*:*:*:*:*:*:*:* | 3.9.3 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://blog.slonser.info/posts/mysql2-attacker-configuration/
- https://github.com/sidorares/node-mysql2/commit/0d54b0ca6498c823098426038162ef10df02c818
- https://github.com/sidorares/node-mysql2/pull/2424
- https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591300
- https://blog.slonser.info/posts/mysql2-attacker-configuration/
- https://github.com/sidorares/node-mysql2/commit/0d54b0ca6498c823098426038162ef10df02c818
- https://github.com/sidorares/node-mysql2/pull/2424
- https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591300