Miggo Logo
Miggo Vulnerability Database
CVE-2024-21507

CVE-2024-21507: mysql2 cache poisoning vulnerability

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-21507
GHSA ID
GHSA-mqr2-w7wj-jjgr
EPSS Score
0.43242%
CWE
CWE-20
Published
4/10/2024
Updated
8/2/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
mysql2npm< 3.9.33.9.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the original implementation of keyFromFields which used manual string concatenation with '/' and ':' separators to create cache keys. This allowed injection of colon characters in field properties (like name, schema, or table) to create ambiguous cache keys. The GitHub patch replaced this with JSON.stringify serialization to safely structure the key. Multiple sources (CVE description, commit message, and security advisories) explicitly reference keyFromFields as the vulnerable component. The attack vector demonstrated in the blog post and Snyk's PoC both rely on manipulating field metadata to exploit this key generation weakness.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* t** p**k*** mysql* ***or* *.*.* *r* vuln*r**l* to Improp*r Input V*li**tion t*rou** t** `k*y*rom*i*l*s` *un*tion, r*sultin* in ***** poisonin*. *n *tt**k*r **n inj**t * *olon `:` ***r**t*r wit*in * v*lu* o* t** *tt**k*r-*r**t** k*y.

Reasoning

T** vuln*r**ility st*ms *rom t** ori*in*l impl*m*nt*tion o* `k*y*rom*i*l*s` w*i** us** m*nu*l strin* *on**t*n*tion wit* '/' *n* ':' s*p*r*tors to *r**t* ***** k*ys. T*is *llow** inj**tion o* *olon ***r**t*rs in *i*l* prop*rti*s (lik* n*m*, s***m*, or