CVE-2024-21507: Improper Input Validation vulnerability in mysql2 (npm)

What is CVE-2024-21507 About?

This vulnerability resides in `mysql2` versions before 3.9.3, specifically within the `keyFromFields` function, leading to cache poisoning. An attacker can inject a colon character (`:`) into a crafted key's value, which can manipulate the cache. Exploiting this is of low complexity and can lead to integrity issues or denial of service.

Affected Software

mysql2 <3.9.3

Technical Details

The vulnerability affects the mysql2 package, specifically in versions prior to 3.9.3, and is located within the keyFromFields function. This function is responsible for generating cache keys. The flaw is an 'Improper Input Validation' issue, where the function fails to adequately sanitize or escape input that might contain special characters. An attacker can inject a colon character (:) within a value that is part of an attacker-crafted key. When this malformed key is processed and stored in a cache, it can lead to cache poisoning. This means the cache might store incorrect or malicious data associated with a key, causing subsequent lookups to retrieve the poisoned data, potentially leading to data integrity issues, unexpected application behavior, or even denial of service if critical application logic relies on these cached values.

What is the Impact of CVE-2024-21507?

Successful exploitation may allow attackers to poison application caches, leading to data integrity issues, unexpected application behavior, or denial of service if critical application logic relies on these poisoned values.

What is the Exploitability of CVE-2024-21507?

Exploitation of this vulnerability is of low complexity. An attacker needs to be able to supply input that is eventually used to construct cache keys via the keyFromFields function. This is typically a remote vulnerability, achieved by crafting specific input to an application that uses the mysql2 connector. No specific authentication is mentioned as a prerequisite, implying it could be exploitable by unauthenticated users if they can influence the data that forms cache keys. No elevated privileges are required. The key requirement is the ability to inject a colon character (:) into a value that becomes part of the cache key. The risk of exploitation increases in applications that use mysql2 and dynamically generate cache keys from user-supplied data without appropriate sanitization.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2024-21507?

A Fix by Resolved Security Exists!

Learn how to fix vulnerabilities in open-source dependencies seamlessly.

About the Fix from Resolved Security

The patch changes the cache key generation for parser objects by serializing input parameters using JSON rather than concatenating values into a string with delimiters. This prevents potential cache key collisions that could occur if attacker-controlled values injected rogue delimiters or formatting, which could in turn cause the parser to return incorrect cached results, leading to security issues described in CVE-2024-21507. JSON serialization ensures keys are unambiguous and reliably unique for each distinct set of parameters, closing the vulnerability.

Available Upgrade Options

mysql2
- <3.9.3 → Upgrade to 3.9.3

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2024-21507?

Similar Vulnerabilities: CVE-2023-45803 , CVE-2022-38568 , CVE-2021-42340 , CVE-2020-25642 , CVE-2019-10793

CVE-2024-21507 Improper Input Validation vulnerability in mysql2 (npm)