CVE-2024-21512
Published: 29 May 2024
Summary
CVE-2024-21512 is a high-severity Prototype Pollution (CWE-1321) vulnerability in Snyk (inferred from references). Its CVSS base score is 8.2 (High).
Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Versions of the mysql2 package before 3.9.8 are vulnerable to prototype pollution (CWE-1321) because user-controlled input supplied to the fields and tables options is not properly sanitized when the nestTables feature is enabled. The flaw affects any application using the affected Node.js package to connect to MySQL or MariaDB databases and carries a CVSS 3.1 score of 8.2.
An unauthenticated remote attacker can supply a malicious payload in a query that triggers the pollution path, allowing modification of object prototypes. Successful exploitation can alter application behavior, leading to high-integrity impacts and limited availability consequences without requiring user interaction.
Public references point to a fix released in commit efe3db5 and pull request 2702; the recommended mitigation is to upgrade to mysql2 3.9.8 or later. Snyk advisories for both the direct package and embedded copies in webjars likewise list the patched version as the resolution.
The associated EPSS score has remained at its recorded peak of 0.6834 with no material upward movement after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-1718
Vulnerability details
Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.