6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-21507

GHSA ID

GHSA-mqr2-w7wj-jjgr

EPSS Score

0.43242%

CWE

CWE-20

Published

4/10/2024

Updated

8/2/2024

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-21507

CVE-2024-21507: mysql2 cache poisoning vulnerability

Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon : character within a value of the attacker-crafted key.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-21507

CVE-2024-21507:

6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-21507

GHSA ID

GHSA-mqr2-w7wj-jjgr

EPSS Score

0.43242%

CWE

CWE-20

Published

4/10/2024

Updated

8/2/2024

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
mysql2	npm	< 3.9.3	3.9.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the original implementation of keyFromFields which used manual string concatenation with '/' and ':' separators to create cache keys. This allowed injection of colon characters in field properties (like name, schema, or table) to create ambiguous cache keys. The GitHub patch replaced this with JSON.stringify serialization to safely structure the key. Multiple sources (CVE description, commit message, and security advisories) explicitly reference keyFromFields as the vulnerable component. The attack vector demonstrated in the blog post and Snyk's PoC both rely on manipulating field metadata to exploit this key generation weakness.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-21507: mysql2 cache poisoning vulnerability

CVE-2024-21507:

6.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

6.5

6.5

CVE-2024-21507: mysql2 cache poisoning vulnerability

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI