CVE-2024-21508
published 2024-04-11CVE-2024-21508: Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.55%
83.1th percentile
Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sidorares | mysql2 | >= 0 < 3.9.4 | 3.9.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerable code path is in the `readCodeFor` function of the mysql2 npm package; monitor for exploitation attempts targeting this function with unsanitized `supportBigNumbers` or `bigNumberStrings` values ↗
- →Any mysql2 npm package version below 3.9.4 is vulnerable; audit Node.js environments for outdated mysql2 installations ↗
- ·Red Hat Developer Hub (RHDH) is listed as Not Affected because it exclusively uses PostgreSQL in production, even though mysql2 is an inherited dependency from upstream Backstage ↗
- ·No mitigation meeting Red Hat's criteria (ease of use, deployment, applicability, stability) is currently available for affected deployments ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
mysql2 Remote Code Execution (RCE) via the readCodeFor function
ghsa·2024-04-11
CVE-2024-21508 [CRITICAL] CWE-94 mysql2 Remote Code Execution (RCE) via the readCodeFor function
mysql2 Remote Code Execution (RCE) via the readCodeFor function
Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the `readCodeFor` function due to improper validation of the `supportBigNumbers` and `bigNumberStrings` values.
OSV
mysql2 Remote Code Execution (RCE) via the readCodeFor function
osv·2024-04-11
CVE-2024-21508 [CRITICAL] mysql2 Remote Code Execution (RCE) via the readCodeFor function
mysql2 Remote Code Execution (RCE) via the readCodeFor function
Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the `readCodeFor` function due to improper validation of the `supportBigNumbers` and `bigNumberStrings` values.
Red Hat
mysql2: Remote Code Execution
vendor_redhat·2024-04-11·CVSS 9.8
CVE-2024-21508 [CRITICAL] CWE-94 mysql2: Remote Code Execution
mysql2: Remote Code Execution
Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
A flaw was found in the MySQL2 npm package. Affected versions of this package are vulnerable to remote code execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
Statement: The mysql2 dependency is inherited from upstream Backstage, which is designed to support various databases. However, RHDH exclusively supports PostgreSQL for production use, so this issue doesn't impact us.
Mitigation: Mitigation for this issue is either not available or the currently available options don't meet the Re
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://blog.slonser.info/posts/mysql2-attacker-configuration/https://github.com/sidorares/node-mysql2/blob/1609b5393516d72a4ae47196837317fbe75e0c13/lib/parsers/text_parser.js%23L14C10-L14C21https://github.com/sidorares/node-mysql2/commit/74abf9ef94d76114d9a09415e28b496522a94805https://github.com/sidorares/node-mysql2/pull/2572https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591085https://blog.slonser.info/posts/mysql2-attacker-configuration/https://github.com/sidorares/node-mysql2/blob/1609b5393516d72a4ae47196837317fbe75e0c13/lib/parsers/text_parser.js%23L14C10-L14C21https://github.com/sidorares/node-mysql2/commit/74abf9ef94d76114d9a09415e28b496522a94805https://github.com/sidorares/node-mysql2/pull/2572https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591085
2024-04-11
Published