CVE-2024-21512 — mysql2 vulnerable to Prototype Pollution

Description

Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.

How to fix CVE-2024-21512

To remediate CVE-2024-21512, upgrade the affected package to a fixed version below.

npm/mysql2—upgrade to 3.9.8 or later

Is CVE-2024-21512 being exploited?

Likely — EPSS is 68.3%, placing CVE-2024-21512 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

from 0, < 3.9.8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-21512
PATCHgithub.com/sidorares/node-mysql2
WEBgist.github.com/domdomi3/e9f0f9b9b1ed6bfbbc0bea87c5ca1e4a
WEBgithub.com/sidorares/node-mysql2/commit/efe3db527a2c94a63c2d14045baba8dfefe922bc