Cyber Resilience

CVE-2024-21512

High

Published: 29 May 2024

Published
29 May 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
EPSS Score 0.6834 98.6th percentile
Risk Priority 57 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-21512 is a high-severity Prototype Pollution (CWE-1321) vulnerability in Snyk (inferred from references). Its CVSS base score is 8.2 (High).

Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Versions of the mysql2 package before 3.9.8 are vulnerable to prototype pollution (CWE-1321) because user-controlled input supplied to the fields and tables options is not properly sanitized when the nestTables feature is enabled. The flaw affects any application using the affected Node.js package to connect to MySQL or MariaDB databases and carries a CVSS 3.1 score of 8.2.

An unauthenticated remote attacker can supply a malicious payload in a query that triggers the pollution path, allowing modification of object prototypes. Successful exploitation can alter application behavior, leading to high-integrity impacts and limited availability consequences without requiring user interaction.

Public references point to a fix released in commit efe3db5 and pull request 2702; the recommended mitigation is to upgrade to mysql2 3.9.8 or later. Snyk advisories for both the direct package and embedded copies in webjars likewise list the patched version as the resolution.

The associated EPSS score has remained at its recorded peak of 0.6834 with no material upward movement after disclosure.

EU & UK References

Vulnerability details

Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Snyk
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References