Multiple MySQL2 Flaw Let Attackers Arbitrary Code Remotely Created

Multiple MySQL2 Flaw Let Attackers Arbitrary Code Remotely Created

The node-mysql2 library, a popular JavaScript tool used for database connections with over 2 million installations weekly, has been identified with three critical security flaws: remote code execution, arbitrary code injection, and prototype pollution, designated as CVE-2024-21508, CVE-2024-21509, and CVE-2024-21511.

These vulnerabilities, with severity ratings ranging from 6.5 (Medium) to 9.8 (Critical), pose significant risks, allowing attackers server-level access post-connection. While a patch has been released for one issue, two critical vulnerabilities remain unaddressed by the vendor.

CVE-2024-21508 and CVE-2024-21511 arise due to insufficient validation in the node-mysql2 library, where objects can be mistakenly accepted in place of strings for database queries. This flaw, combined with the library’s method of generating and caching query parsing functions, opens the door for remote code execution if an attacker manipulates the parameters passed.

Additionally, the source code’s handling of large numbers through the 'supportBugNumbers' parameter further complicates the vulnerability, enabling malicious code execution. The vendor's lack of response to the researcher’s disclosures has delayed further fixes, leaving users advised to update their installations to mitigate at least the resolved issues.

Affected Systems

Node.js mysql2 3.9.6

IoC’s

-

Recommended Solution(s)

Upgrade to the latest version of mysql2, available from the Node.js GIT Repository.

Mitigations

The vendor's lack of response to the researcher’s disclosures has delayed further fixes, leaving users advised to update their installations to mitigate at least the resolved issues.

CVE / CWE

CVE-2024-21511

Related Website(s)

• https://nvd.nist.gov/vuln/detail/CVE-2024-21511

* Vulnerabilities with a CVSS 3.1 score between 7.0 and 8.9 are evaluated to be “high” whereas vulnerabilities with a CVSS 3.1 score between 9.0 and 10.0 are evaluated to be “critical”.