The vulnerability stems from MySQL query compiler's handling of WHERE clause values. The patch added assertions in these two functions to reject objects/arrays. The commit diff shows these functions were modified to add 'assert' checks against object/array values. Prior to 2.4.0, these validation checks were missing, allowing malicious objects/arrays to be interpreted as SQL expressions rather than parameterized values. The GHSA advisory and test cases confirm these were the entry points for SQL injection via WHERE clause manipulation.