npm package
mysql2
pkg:npm/mysql2
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-21512 | Hig | 8.2 | < 3.9.8 | 3.9.8 | May 29, 2024 | Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables. | |
| CVE-2024-21511 | Cri | 9.8 | < 3.9.7 | 3.9.7 | Apr 23, 2024 | Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function. | |
| CVE-2024-21508 | Cri | 9.8 | < 3.9.4 | 3.9.4 | Apr 11, 2024 | Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values. | |
| CVE-2024-21507 | — | < 3.9.3 | 3.9.3 | Apr 10, 2024 | Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key. | ||
| CVE-2024-21509 | — | < 3.9.4 | 3.9.4 | Apr 10, 2024 | Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js. |
- affected < 3.9.8fixed 3.9.8
Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.
- affected < 3.9.7fixed 3.9.7
Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.
- affected < 3.9.4fixed 3.9.4
Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
- CVE-2024-21507Apr 10, 2024affected < 3.9.3fixed 3.9.3
Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key.
- CVE-2024-21509Apr 10, 2024affected < 3.9.4fixed 3.9.4
Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.