CVE-2024-21507 Information

Description

Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key.

Reference

https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591300 https://github.com/sidorares/node-mysql2/commit/0d54b0ca6498c823098426038162ef10df02c818 https://blog.slonser.info/posts/mysql2-attacker-configuration/ https://github.com/sidorares/node-mysql2/pull/2424