CVE-2024-53257
published 2024-12-03CVE-2024-53257: Vitess is a database clustering system for horizontal scaling of MySQL. The /debug/querylogz and /debug/env pages for vtgate and vttablet do not properly…
PriorityP424medium4.9CVSS 3.1
AVNACLPRHUINSUCNIHAN
EPSS
0.43%
34.2th percentile
Vitess is a database clustering system for horizontal scaling of MySQL. The /debug/querylogz and /debug/env pages for vtgate and vttablet do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will. These pages are rendered using text/template instead of rendering with a proper HTML templating engine. This vulnerability is fixed in 21.0.1, 20.0.4, and 19.0.8.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | azl3_vitess_19.0.4-7_on_azure_linux_3.0 | — | — |
| msrc | cbl2_vitess_17.0.7-6_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_vitess_17.0.7-8_on_cbl_mariner_2.0 | — | — |
| vitess.io | vitess | >= 0 < 0.19.8 | 0.19.8 |
| vitess.io | vitess | >= 0.20.0 < 0.20.4 | 0.20.4 |
| vitess.io | vitess | >= 0.20.0-rc1 < 0.20.4 | 0.20.4 |
| vitess.io | vitess | >= 0.21.0 < 0.21.1 | 0.21.1 |
| vitess.io | vitess | >= 0.21.0-rc1 < 0.21.1 | 0.21.1 |
| vitessio | vitess | < 19.0.8 | 19.0.8 |
| vitessio | vitess | — | — |
| vitessio | vitess | — | — |
CVSS provenance
nvdv3.14.9MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
vendor_msrc4.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Vitess allows HTML injection in /debug/querylogz and /debug/env in vitess.io/vitess
osv·2024-12-12
CVE-2024-53257 Vitess allows HTML injection in /debug/querylogz and /debug/env in vitess.io/vitess
Vitess allows HTML injection in /debug/querylogz and /debug/env in vitess.io/vitess
Vitess allows HTML injection in /debug/querylogz and /debug/env in vitess.io/vitess
GHSA
Vitess allows HTML injection in /debug/querylogz & /debug/env
ghsa·2024-12-03
CVE-2024-53257 [MEDIUM] CWE-79 Vitess allows HTML injection in /debug/querylogz & /debug/env
Vitess allows HTML injection in /debug/querylogz & /debug/env
### Summary
The `/debug/querylogz` and `/debug/env` pages for `vtgate` and `vttablet` do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will.
### Details
These pages are rendered using `text/template` instead of rendering with a proper HTML templating engine.
### PoC
Execute any query where part of it is HTML markup, for example as part of a string. To make it easier to observe you might want to make sure the query takes a few seconds to complete, giving you time to refresh the status page.
Example query that can trigger the issue:
```sql
UPDATE users
SET
email = CONCAT("", users.idUser, "@xxx")
WHERE
email NOT LIKE '%xxx%' AND email != "[email protected]
OSV
Vitess allows HTML injection in /debug/querylogz & /debug/env
osv·2024-12-03
CVE-2024-53257 [MEDIUM] Vitess allows HTML injection in /debug/querylogz & /debug/env
Vitess allows HTML injection in /debug/querylogz & /debug/env
### Summary
The `/debug/querylogz` and `/debug/env` pages for `vtgate` and `vttablet` do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will.
### Details
These pages are rendered using `text/template` instead of rendering with a proper HTML templating engine.
### PoC
Execute any query where part of it is HTML markup, for example as part of a string. To make it easier to observe you might want to make sure the query takes a few seconds to complete, giving you time to refresh the status page.
Example query that can trigger the issue:
```sql
UPDATE users
SET
email = CONCAT("", users.idUser, "@xxx")
WHERE
email NOT LIKE '%xxx%' AND email != "[email protected]
Microsoft
Vitess allows HTML injection in /debug/querylogz & /debug/env
vendor_msrc·2024-12-10·CVSS 4.9
CVE-2024-53257 [MEDIUM] CWE-79 Vitess allows HTML injection in /debug/querylogz & /debug/env
Vitess allows HTML injection in /debug/querylogz & /debug/env
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: h
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-12-03
Published