CVE-2024-21511

CRITICAL9.8EPSS 0.17%

MySQL2 for Node Arbitrary Code Injection

Published: 4/23/2024Modified: 2/4/2026

Also known as:GHSA-4rch-2fh8-94vwCGA-2xc9-49gc-xr3p

Description

Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.

Affected packages (1)

npm/mysql2from 0, < 3.9.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (6)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-21511
PATCHhttps://github.com/sidorares/node-mysql2
WEBhttps://github.com/sidorares/node-mysql2/commit/7d4b098c7e29d5a6cb9eac2633bfcc2f0f1db713
WEBhttps://github.com/sidorares/node-mysql2/pull/2608
WEBhttps://github.com/sidorares/node-mysql2/releases/tag/v3.9.7
WEBhttps://security.snyk.io/vuln/SNYK-JS-MYSQL2-6670046