Critical severity9.8NVD Advisory· Published Apr 23, 2024· Updated Apr 15, 2026
CVE-2024-21511
CVE-2024-21511
Description
Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mysql2npm | < 3.9.7 | 3.9.7 |
Patches
27d4b098c7e29fix(security): sanitize timezone parameter value to prevent code injection (#2608)
4 files changed · +52 −4
lib/parsers/binary_parser.js+2 −2 modified@@ -42,9 +42,9 @@ function readCodeFor(field, config, options, fieldNum) { case Types.TIMESTAMP: case Types.NEWDATE: if (helpers.typeMatch(field.columnType, dateStrings, Types)) { - return `packet.readDateTimeString(${field.decimals});`; + return `packet.readDateTimeString(${parseInt(field.decimals, 10)});`; } - return `packet.readDateTime('${timezone}');`; + return `packet.readDateTime(${helpers.srcEscape(timezone)});`; case Types.TIME: return 'packet.readTimeString()'; case Types.DECIMAL:
lib/parsers/text_parser.js+2 −2 modified@@ -48,13 +48,13 @@ function readCodeFor(type, charset, encodingExpr, config, options) { if (helpers.typeMatch(type, dateStrings, Types)) { return 'packet.readLengthCodedString("ascii")'; } - return `packet.parseDate('${timezone}')`; + return `packet.parseDate(${helpers.srcEscape(timezone)})`; case Types.DATETIME: case Types.TIMESTAMP: if (helpers.typeMatch(type, dateStrings, Types)) { return 'packet.readLengthCodedString("ascii")'; } - return `packet.parseDateTime('${timezone}')`; + return `packet.parseDateTime(${helpers.srcEscape(timezone)})`; case Types.TIME: return 'packet.readLengthCodedString("ascii")'; case Types.GEOMETRY:
test/esm/unit/parsers/timezone-binary-sanitization.test.mjs+24 −0 added@@ -0,0 +1,24 @@ +import { describe, test, assert } from 'poku'; +import { createConnection, describeOptions } from '../../../common.test.cjs'; + +const connection = createConnection().promise(); + +describe('Binary Parser: timezone Sanitization', describeOptions); + +Promise.all([ + test(async () => { + process.env.TEST_ENV_VALUE = 'secure'; + await connection.execute({ + sql: 'SELECT NOW()', + timezone: `'); process.env.TEST_ENV_VALUE = "not so much"; //`, + }); + + assert.strictEqual( + process.env.TEST_ENV_VALUE, + 'secure', + 'Timezone sanitization failed - code injection possible', + ); + }), +]).then(async () => { + await connection.end(); +});
test/esm/unit/parsers/timezone-text-sanitization.test.mjs+24 −0 added@@ -0,0 +1,24 @@ +import { describe, test, assert } from 'poku'; +import { createConnection, describeOptions } from '../../../common.test.cjs'; + +const connection = createConnection().promise(); + +describe('Text Parser: timezone Sanitization', describeOptions); + +Promise.all([ + test(async () => { + process.env.TEST_ENV_VALUE = 'secure'; + await connection.query({ + sql: 'SELECT NOW()', + timezone: `'); process.env.TEST_ENV_VALUE = "not so much"; //`, + }); + + assert.strictEqual( + process.env.TEST_ENV_VALUE, + 'secure', + 'Timezone sanitization failed - code injection possible', + ); + }), +]).then(async () => { + await connection.end(); +});
2d3cad8a5aadVulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-4rch-2fh8-94vwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-21511ghsaADVISORY
- github.com/sidorares/node-mysql2/commit/7d4b098c7e29d5a6cb9eac2633bfcc2f0f1db713nvdWEB
- github.com/sidorares/node-mysql2/pull/2608nvdWEB
- github.com/sidorares/node-mysql2/releases/tag/v3.9.7nvdWEB
- security.snyk.io/vuln/SNYK-JS-MYSQL2-6670046nvdWEB
News mentions
0No linked articles in our index yet.