CVE-2024-21509 Information

Description

Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.

Reference

https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591084 https://blog.slonser.info/posts/mysql2-attacker-configuration/ https://github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js%23L134 https://github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691 https://github.com/sidorares/node-mysql2/pull/2574 https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4