CVE-2024-21509

Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://blog.slonser.info/posts/mysql2-attacker-configuration/	Exploit Permissions Required
https://github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js%23L134	Broken Link
https://github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691	Patch
https://github.com/sidorares/node-mysql2/pull/2574	Exploit Issue Tracking
https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4	Release Notes
https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591084	Exploit Third Party Advisory
https://blog.slonser.info/posts/mysql2-attacker-configuration/	Exploit Permissions Required
https://github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js%23L134	Broken Link
https://github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691	Patch
https://github.com/sidorares/node-mysql2/pull/2574	Exploit Issue Tracking
https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4	Release Notes
https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591084	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sidorares:mysql2:*:*:*:*:*:*:*:*

History

17 Jun 2025, 18:15

Type	Values Removed	Values Added
First Time		Sidorares Sidorares mysql2
CPE		cpe:2.3:a:sidorares:mysql2::::::::
References	~~() https://blog.slonser.info/posts/mysql2-attacker-configuration/ -~~	() https://blog.slonser.info/posts/mysql2-attacker-configuration/ - Exploit, Permissions Required
References	~~() https://github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js%23L134 -~~	() https://github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js%23L134 - Broken Link
References	~~() https://github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691 -~~	() https://github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691 - Patch
References	~~() https://github.com/sidorares/node-mysql2/pull/2574 -~~	() https://github.com/sidorares/node-mysql2/pull/2574 - Exploit, Issue Tracking
References	~~() https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4 -~~	() https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4 - Release Notes
References	~~() https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591084 -~~	() https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591084 - Exploit, Third Party Advisory

21 Nov 2024, 08:54

Type	Values Removed	Values Added
References	~~() https://blog.slonser.info/posts/mysql2-attacker-configuration/ -~~	() https://blog.slonser.info/posts/mysql2-attacker-configuration/ -
References	~~() https://github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js%23L134 -~~	() https://github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js%23L134 -
References	~~() https://github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691 -~~	() https://github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691 -
References	~~() https://github.com/sidorares/node-mysql2/pull/2574 -~~	() https://github.com/sidorares/node-mysql2/pull/2574 -
References	~~() https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4 -~~	() https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4 -
References	~~() https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591084 -~~	() https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591084 -

22 Aug 2024, 13:35

Type	Values Removed	Values Added
Summary		(es) Las versiones del paquete mysql2 anteriores a la 3.9.4 son vulnerables al envenenamiento de prototipos debido a la creación insegura de objetos de resultados y a una desinfección inadecuada de las entradas del usuario pasadas a través de parserFn en text_parser.js y binario_parser.js.

10 Apr 2024, 13:23

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-04-10 05:15

Updated : 2025-06-17 18:15

NVD link : CVE-2024-21509

Mitre link : CVE-2024-21509

CVE.ORG link : CVE-2024-21509

JSON object : View

Products Affected

sidorares

mysql2

CWE

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

6.5 /10