Miggo Logo
Miggo Vulnerability Database
CVE-2024-21511

CVE-2024-21511: MySQL2 for Node Arbitrary Code Injection

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-21511
GHSA ID
GHSA-4rch-2fh8-94vw
EPSS Score
0.27329%
CWE
CWE-94
Published
4/23/2024
Updated
4/23/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
mysql2npm< 3.9.73.9.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper sanitization when constructing date/time parsing code strings. Both parser implementations directly embedded user-controlled 'timezone' parameters into generated JavaScript code using string interpolation without proper escaping. This allowed attackers to inject Node.js code through specially crafted timezone values. The fix introduced helpers.srcEscape() to sanitize these inputs, and the added test cases specifically target timezone parameter injection scenarios in both binary and text parsers.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* t** p**k*** mysql* ***or* *.*.* *r* vuln*r**l* to *r*itr*ry *o** Inj**tion *u* to improp*r s*nitiz*tion o* t** tim*zon* p*r*m*t*r in t** r****o***or *un*tion *y **llin* * n*tiv* MySQL S*rv*r **t*/tim* *un*tion.

Reasoning

T** vuln*r**ility st*ms *rom improp*r s*nitiz*tion w**n *onstru*tin* **t*/tim* p*rsin* *o** strin*s. *ot* p*rs*r impl*m*nt*tions *ir**tly *m****** us*r-*ontroll** 'tim*zon*' p*r*m*t*rs into **n*r*t** J*v*S*ript *o** usin* strin* int*rpol*tion wit*out