CVE-2024-21511 – CVE-2024-21511 is a critical code injection vul... (How to Fix)

Q: What is the severity of CVE-2024-21511?

CVE-2024-21511 has a CVSS score of 9.8 (CRITICAL). CVE-2024-21511 is a critical code injection vulnerability in the mysql2 Node.js package. Attackers can execute arbitrary code by exploiting improper sanitization of the timezone parameter when calling MySQL date/time functions. All applications using vulnerable mysql2 versions are affected.

📋 TL;DR

CVE-2024-21511 is a critical code injection vulnerability in the mysql2 Node.js package. Attackers can execute arbitrary code by exploiting improper sanitization of the timezone parameter when calling MySQL date/time functions. All applications using vulnerable mysql2 versions are affected.

💻 Affected Systems

Products:

mysql2 Node.js package

Versions: All versions before 3.9.7

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using mysql2 with user-controlled timezone parameters is vulnerable.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Database compromise, credential theft, and potential application takeover through code execution.

🟢

If Mitigated

Limited impact if proper input validation and network segmentation are in place, though risk remains significant.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the ability to control timezone parameters in mysql2 queries.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.9.7

Vendor Advisory: https://github.com/sidorares/node-mysql2/releases/tag/v3.9.7

Restart Required: Yes

Instructions:

1. Update package.json to specify mysql2 version 3.9.7 or higher. 2. Run 'npm update mysql2' or 'yarn upgrade mysql2'. 3. Restart your Node.js application.

🔧 Temporary Workarounds

Input Validation Workaround

all

Implement strict input validation for all timezone parameters passed to mysql2 functions

🧯 If You Can't Patch

Implement strict input validation and sanitization for all user-controlled parameters
Isolate mysql2 instances behind firewalls and restrict network access

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list mysql2' to see installed version

Check Version:

npm list mysql2 | grep mysql2

Verify Fix Applied:

Confirm mysql2 version is 3.9.7 or higher using 'npm list mysql2'

📡 Detection & Monitoring

Log Indicators:

Unusual timezone parameter values in mysql2 queries
Unexpected process execution from Node.js applications

Network Indicators:

Unusual outbound connections from application servers
Database connections with suspicious parameters

SIEM Query:

source="application.logs" AND "mysql2" AND ("timezone" OR "TZ") AND suspicious_pattern

📊 Metadata

CVE ID: CVE-2024-21511

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: April 23, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-21511, you might also want to check these: