CVE-2024-21508
📋 TL;DR
The mysql2 Node.js package before version 3.9.4 is vulnerable to remote code execution due to improper validation of configuration values. Attackers can exploit this by manipulating the supportBigNumbers and bigNumberStrings parameters to execute arbitrary code on the server. Any application using vulnerable versions of mysql2 is affected.
💻 Affected Systems
- mysql2 Node.js package
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.
Likely Case
Database compromise leading to data theft, manipulation, or denial of service through malicious code execution.
If Mitigated
Limited impact if proper network segmentation and least privilege access controls are implemented.
🎯 Exploit Status
Exploitation requires the ability to control mysql2 configuration parameters, typically through user input or compromised configuration sources.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.9.4
Vendor Advisory: https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4
Restart Required: Yes
Instructions:
1. Update package.json to specify mysql2 version 3.9.4 or higher. 2. Run 'npm update mysql2' or 'yarn upgrade mysql2'. 3. Restart your Node.js application.
🔧 Temporary Workarounds
Input Validation
allValidate and sanitize all configuration inputs to mysql2, especially supportBigNumbers and bigNumberStrings parameters.
Network Restriction
allRestrict network access to mysql2 connections, allowing only trusted sources.
🧯 If You Can't Patch
- Implement strict input validation for all mysql2 configuration parameters
- Isolate vulnerable systems in segmented network zones with strict firewall rules
🔍 How to Verify
Check if Vulnerable:
Check package.json or run 'npm list mysql2' to see installed version. If version is below 3.9.4, you are vulnerable.Check Version:
npm list mysql2 | grep mysql2Verify Fix Applied:
After updating, verify version is 3.9.4 or higher using 'npm list mysql2'.📡 Detection & Monitoring
Log Indicators:
- Unusual mysql2 configuration changes
- Unexpected process execution from Node.js applications
- Error logs containing malformed configuration values
Network Indicators:
- Unusual outbound connections from Node.js applications
- Suspicious database query patterns
SIEM Query:
source="application.logs" AND "mysql2" AND ("supportBigNumbers" OR "bigNumberStrings") AND status="error"🔗 References
- https://blog.slonser.info/posts/mysql2-attacker-configuration/
- https://github.com/sidorares/node-mysql2/blob/1609b5393516d72a4ae47196837317fbe75e0c13/lib/parsers/text_parser.js%23L14C10-L14C21
- https://github.com/sidorares/node-mysql2/commit/74abf9ef94d76114d9a09415e28b496522a94805
- https://github.com/sidorares/node-mysql2/pull/2572
- https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4
- https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591085
- https://blog.slonser.info/posts/mysql2-attacker-configuration/
- https://github.com/sidorares/node-mysql2/blob/1609b5393516d72a4ae47196837317fbe75e0c13/lib/parsers/text_parser.js%23L14C10-L14C21
- https://github.com/sidorares/node-mysql2/commit/74abf9ef94d76114d9a09415e28b496522a94805
- https://github.com/sidorares/node-mysql2/pull/2572
- https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4
- https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591085
