CVE-2024-21509
Prototype Poisoning vulnerability in mysql2 (npm)
What is CVE-2024-21509 About?
This vulnerability is a Prototype Poisoning issue in `mysql2` versions before 3.9.4, caused by insecure results object creation and improper input sanitization. Attackers can manipulate object prototypes, which can lead to various impacts including denial of service or remote code execution, making it a severe but potentially complex exploit.
Affected Software
Technical Details
Versions of the mysql2 package prior to 3.9.4 are vulnerable to Prototype Poisoning. This flaw arises from insecure results object creation and insufficient sanitization of user input passed through the parserFn functions in text_parser.js and binary_parser.js. An attacker can manipulate the __proto__ property of base objects or object constructors by injecting specially crafted data via the database results. This allows the attacker to add or modify properties on the global Object.prototype, which can then affect all objects in the JavaScript application, potentially leading to arbitrary code execution, denial of service, or other undesirable behaviors.
What is the Impact of CVE-2024-21509?
Successful exploitation may allow attackers to inject arbitrary properties into object prototypes, potentially leading to remote code execution, denial of service, information disclosure, or other unexpected behaviors across the application.
What is the Exploitability of CVE-2024-21509?
Exploitation complexity for prototype poisoning can vary from moderate to high, often requiring a deep understanding of JavaScript object mechanics and the specific application's data flow. Authenticated access to the database (or an injection path to it) is likely a prerequisite. Privileges would depend on the nature of the database interaction. This vulnerability is typically an internal or local exploitation vector, but could be chained with other vulnerabilities for remote impact. Special conditions include the application using mysql2 versions prior to 3.9.4 and processing untrusted data through parserFn without adequate sanitization. The risk is significantly increased when applications directly reflect database results into dynamic object structures.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-21509?
About the Fix from Resolved Security
The patch changes result objects from standard JavaScript objects to objects with a null prototype using Object.create(null) and explicitly redefines the constructor property to further prevent prototype chain manipulation. This mitigates CVE-2024-21509 by blocking prototype pollution attacks, which could allow malicious input keys like __proto__ or constructor to tamper with the object prototype and compromise application security.
Available Upgrade Options
- mysql2
- <3.9.4 → Upgrade to 3.9.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://blog.slonser.info/posts/mysql2-attacker-configuration/
- https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4
- https://github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js%23L134
- https://github.com/sidorares/node-mysql2/pull/2574
- https://blog.slonser.info/posts/mysql2-attacker-configuration
- https://github.com/sidorares/node-mysql2
- https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591084
- https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4
- https://nvd.nist.gov/vuln/detail/CVE-2024-21509
- https://github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691
What are Similar Vulnerabilities to CVE-2024-21509?
Similar Vulnerabilities: CVE-2021-23386 , CVE-2020-7699 , CVE-2020-15250 , CVE-2022-46175 , CVE-2023-37905
