VDB
CVE-2024-21508
CVE-2024-21508
PUBLISHED
CVSS 9.800000190734863 CRITICAL
Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
EPSS 46.19% · 97.7th percentile
Risk Scores
CVSS v3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P
EPSS Score
46.19%
97.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| npm | mysql2 | 0 |
| n/a | mysql2 | 0 |
| mysql2 | mysql2 | 0 |
Timeline
- Apr 11, 2024 CVE Published
- Apr 11, 2024 EPSS Score
- Apr 12, 2024 CVE Updated
- May 6, 2024 EPSS Score
- Jun 25, 2024 EPSS Score
- Jul 20, 2024 EPSS Score
- Sep 8, 2024 EPSS Score
- Oct 3, 2024 EPSS Score
- Oct 4, 2024 Coalition ESS Score
- Nov 23, 2024 EPSS Score
- Dec 19, 2024 EPSS Score
- Feb 7, 2025 EPSS Score
References
- https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591085 url
- https://blog.slonser.info/posts/mysql2-attacker-configuration/ url
- https://github.com/sidorares/node-mysql2/blob/1609b5393516d72a4ae47196837317fbe75e0c13/lib/parsers/text_parser.js%23L14C10-L14C21 url
- https://github.com/sidorares/node-mysql2/pull/2572 url
- https://github.com/sidorares/node-mysql2/commit/74abf9ef94d76114d9a09415e28b496522a94805 url
- https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4 url
- https://nvd.nist.gov/vuln/detail/CVE-2024-21508 advisory
- https://blog.slonser.info/posts/mysql2-attacker-configuration url
- https://github.com/sidorares/node-mysql2 package