Platform
nodejs
Component
mysql2
Fixed in
3.9.7
3.9.7
CVE-2024-21511 describes an Arbitrary Code Injection vulnerability affecting the mysql2 package. This flaw arises from inadequate sanitization of the timezone parameter within the readCodeFor function, enabling attackers to potentially execute arbitrary code by leveraging native MySQL Server date/time functions. The vulnerability impacts Node.js applications utilizing mysql2 versions before 3.9.7. A fix is available in version 3.9.7.
The Arbitrary Code Injection vulnerability in mysql2 presents a severe risk to applications relying on MySQL database connectivity. An attacker could exploit this flaw by crafting malicious timezone values that, when processed by the readCodeFor function, trigger the execution of arbitrary code on the MySQL server. This could lead to complete system compromise, including data exfiltration, modification, and denial of service. The potential blast radius extends to any sensitive data stored within the MySQL database, as well as the underlying server infrastructure. This vulnerability shares similarities with other injection flaws where improper input validation allows for the execution of unintended commands.
CVE-2024-21511 was publicly disclosed on April 23, 2024. The vulnerability's severity is rated as CRITICAL (CVSS 9.8). Public proof-of-concept exploits are likely to emerge given the ease of exploitation and the high impact. The vulnerability is not currently listed on the CISA KEV catalog, but its criticality warrants close monitoring. Active exploitation campaigns are possible, particularly targeting applications with outdated mysql2 versions.
Exploit Status
EPSS
0.13% (32% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-21511 is to immediately upgrade the mysql2 package to version 3.9.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation on the timezone parameter before passing it to the mysql2 library. While not a complete solution, this can reduce the attack surface. Additionally, review database user permissions to limit the privileges of accounts used by the application. Monitor MySQL logs for suspicious activity related to timezone parameter manipulation. After upgrading, confirm the fix by attempting to reproduce the vulnerability with a known malicious timezone string and verifying that it is properly sanitized.
Update the mysql2 package to version 3.9.7 or higher. This can be done using npm or yarn. Run `npm install mysql2@latest` or `yarn upgrade mysql2` to update to the latest version that fixes the vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-21511 is a critical vulnerability in the mysql2 package where improper timezone parameter sanitization allows attackers to execute arbitrary code on the MySQL server.
You are affected if your Node.js application uses mysql2 versions prior to 3.9.7. Check your installed version with npm list mysql2.
Upgrade the mysql2 package to version 3.9.7 or later using npm install [email protected]. If upgrading is not possible, implement input validation on the timezone parameter.
While no active exploitation has been confirmed, the vulnerability's criticality and ease of exploitation suggest active campaigns are possible.
Refer to the official mysql2 GitHub repository and npm package page for updates and advisories related to CVE-2024-21511.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.