cbcvebase.
CVE-2024-21508
published 2024-04-11

CVE-2024-21508: Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.55%
83.1th percentile
Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.

Affected

1 ranges
VendorProductVersion rangeFixed in
sidoraresmysql2>= 0 < 3.9.43.9.4

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerable code path is in the `readCodeFor` function of the mysql2 npm package; monitor for exploitation attempts targeting this function with unsanitized `supportBigNumbers` or `bigNumberStrings` values
  • Any mysql2 npm package version below 3.9.4 is vulnerable; audit Node.js environments for outdated mysql2 installations
  • ·Red Hat Developer Hub (RHDH) is listed as Not Affected because it exclusively uses PostgreSQL in production, even though mysql2 is an inherited dependency from upstream Backstage
  • ·No mitigation meeting Red Hat's criteria (ease of use, deployment, applicability, stability) is currently available for affected deployments

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.