CVE-2024-21508: Command Injection vulnerability in mysql2 (npm)

What is CVE-2024-21508 About?

A command injection vulnerability in mlflow/mlflow allows for remote code execution by exploiting improper neutralization of special elements in OS commands. Attackers can control file paths via path traversal or absolute paths, leading to arbitrary file writes and subsequent code execution. This vulnerability is highly critical and relatively easy to exploit with crafted inputs.

Affected Software

mysql2 <3.9.4

Technical Details

The vulnerability resides in the mlflow.data.http_dataset_source.py module of mlflow/mlflow versions up to 8.2.1. When a dataset is loaded from a source URL using an HTTP scheme, the filename extracted from either the Content-Disposition header or the URL path is used to construct the final file path for saving the downloaded content. Critically, this filename is not properly sanitized. An attacker can inject path traversal sequences (e.g., ../../tmp/poc.txt) or absolute paths (e.g., /tmp/poc.txt) into the Content-Disposition header or the URL path. This allows the attacker to specify an arbitrary location on the filesystem to write the downloaded file. By writing a specially crafted file (e.g., a web shell or a configuration file) to a controlled location, an attacker can achieve arbitrary file write, which can then be leveraged for remote code execution via various methods, such as overwriting system command paths or injecting malicious scripts.

What is the Impact of CVE-2024-21508?

Successful exploitation may allow attackers to execute arbitrary operating system commands, gain full control of the vulnerable machine, access sensitive data and model information, and compromise the integrity and availability of the system.

What is the Exploitability of CVE-2024-21508?

Exploitation of this vulnerability is of moderate complexity. It can be performed remotely and typically does not require authentication, as it targets how the server processes external data sources (HTTP URLs for datasets). The attacker needs to supply a specially crafted URL or Content-Disposition header when triggering a dataset load operation. No special privileges are required on the victim machine for the initial arbitrary file write. An attacker must be able to send HTTP requests to the mlflow instance that trigger the vulnerable code path. The primary prerequisite is the ability to interact with the mlflow server's dataset loading functionality. The risk factors that increase the likelihood of exploitation include public-facing mlflow instances and any scenario where untrusted users can initiate dataset loading operations, especially from attacker-controlled URLs.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2024-21508?

A Fix by Resolved Security Exists!

See how easy it is to remediate vulnerabilities in your open-source packages.

About the Fix from Resolved Security

The patch coerces the values of supportBigNumbers and bigNumberStrings options to booleans using Boolean(), preventing the injection of arbitrary code by treating malicious strings as simple boolean flags. This mitigates the code injection risk present in the original code, which could have executed string values as code, thus fixing CVE-2024-21508.

Available Upgrade Options

mysql2
- <3.9.4 → Upgrade to 3.9.4

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2024-21508?

Similar Vulnerabilities: CVE-2021-41773 , CVE-2019-19901 , CVE-2018-1002105 , CVE-2017-1000350 , CVE-2016-1000000

CVE-2024-21508 Command Injection vulnerability in mysql2 (npm)