Update dependency mysql2 to v3.9.8 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
mysql2 (source)	3.6.2 → 3.9.8

---

mysql2 cache poisoning vulnerability

CVE-2024-21507 / GHSA-mqr2-w7wj-jjgr

More information

Details

Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon : character within a value of the attacker-crafted key.

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-21507
• https://github.com/sidorares/node-mysql2/pull/2424
• https://github.com/sidorares/node-mysql2/commit/0d54b0ca6498c823098426038162ef10df02c818
• https://blog.slonser.info/posts/mysql2-attacker-configuration
• https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591300
• https://github.com/advisories/GHSA-mqr2-w7wj-jjgr

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

mysql2 Remote Code Execution (RCE) via the readCodeFor function

CVE-2024-21508 / GHSA-fpw7-j2hg-69v5

More information

Details

Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-21508
• https://github.com/sidorares/node-mysql2/pull/2572
• https://github.com/sidorares/node-mysql2/commit/74abf9ef94d76114d9a09415e28b496522a94805
• https://blog.slonser.info/posts/mysql2-attacker-configuration
• https://github.com/sidorares/node-mysql2/blob/1609b5393516d72a4ae47196837317fbe75e0c13/lib/parsers/text_parser.js%23L14C10-L14C21
• https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4
• https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591085
• https://github.com/advisories/GHSA-fpw7-j2hg-69v5

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

mysql2 vulnerable to Prototype Poisoning

CVE-2024-21509 / GHSA-49j4-86m8-q2jw

More information

Details

Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-21509
• https://github.com/sidorares/node-mysql2/pull/2574
• https://github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691
• https://blog.slonser.info/posts/mysql2-attacker-configuration
• https://github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js%23L134
• https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4
• https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591084
• https://github.com/advisories/GHSA-49j4-86m8-q2jw

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

MySQL2 for Node Arbitrary Code Injection

CVE-2024-21511 / GHSA-4rch-2fh8-94vw

More information

Details

Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-21511
• https://github.com/sidorares/node-mysql2/pull/2608
• https://github.com/sidorares/node-mysql2/commit/7d4b098c7e29d5a6cb9eac2633bfcc2f0f1db713
• https://github.com/sidorares/node-mysql2/releases/tag/v3.9.7
• https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6670046
• https://github.com/advisories/GHSA-4rch-2fh8-94vw

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

mysql2 vulnerable to Prototype Pollution

CVE-2024-21512 / GHSA-pmh2-wpjm-fj45

More information

Details

Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-21512
• https://github.com/sidorares/node-mysql2/pull/2702
• https://github.com/sidorares/node-mysql2/commit/efe3db527a2c94a63c2d14045baba8dfefe922bc
• https://gist.github.com/domdomi3/e9f0f9b9b1ed6bfbbc0bea87c5ca1e4a
• https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6861580
• https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-7176010
• https://github.com/advisories/GHSA-pmh2-wpjm-fj45

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

sidorares/node-mysql2 (mysql2)

v3.9.8

Compare Source

Bug Fixes

• security: sanitize fields and tables when using nestTables (#​2702) (efe3db5)
• support deno + caching_sha2_password FULL_AUTHENTICATION_PACKET flow (#​2704) (2e03694)
• typings: typo from jonServerPublicKey to onServerPublicKey (#​2699) (8b5f691)

v3.9.7

Compare Source

Bug Fixes

• security: sanitize timezone parameter value to prevent code injection (#​2608) (7d4b098)

v3.9.6

Compare Source

Bug Fixes

• binary parser sometimes reads out of packet bounds when results contain null and typecast is false (#​2601) (705835d)

v3.9.5

Compare Source

Bug Fixes

• revert breaking change in results creation (#​2591) (f7c60d0)

v3.9.4

Compare Source

Bug Fixes

• docs: improve the contribution guidelines (#​2552) (8a818ce)
• security: improve results object creation (#​2574) (4a964a3)
• security: improve supportBigNumbers and bigNumberStrings sanitization (#​2572) (74abf9e)

v3.9.3

Compare Source

Bug Fixes

• security: improve cache key formation (#​2424) (0d54b0c)
  • Fixes a potential parser cache poisoning attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
• update Amazon RDS SSL CA cert (#​2131) (d9dccfd)

v3.9.2

Compare Source

Bug Fixes

• stream: premature close when it is paused (#​2416) (7c6bc64)
• types: expose TypeCast types (#​2425) (336a7f1)

v3.9.1

Compare Source

Bug Fixes

• types: support encoding for string type cast (#​2407) (1dc2011)

v3.9.0

Compare Source

Features

• introduce typeCast for execute method (#​2398) (baaa92a)

v3.8.0

Compare Source

Features

• perf: cache iconv decoder (#​2391) (b95b3db)

Bug Fixes

• stream: premature close when using for await (#​2389) (af47148)
• The removeIdleTimeoutConnectionsTimer did not clean up when the … (#​2384) (18a44f6)
• types: add missing types to TypeCast (#​2390) (78ce495)

v3.7.1

Compare Source

Bug Fixes

• add condition which allows code in callback to be reachable (#​2376) (8d5b903)

v3.7.0

Compare Source

Features

• docs: release documentation website (#​2339) (c0d77c0)

v3.6.5

Compare Source

Bug Fixes

• add decodeuricomponent to parse uri encoded special characters in host, username, password and datbase keys (#​2277) (fe573ad)

v3.6.4

Compare Source

Bug Fixes

• malformed FieldPacket (#​2280) (8831e09)
• move missing options to ConnectionOptions (#​2288) (5cd7639)

v3.6.3

Compare Source

Bug Fixes

• correctly pass values when used with sql-template-strings library (#​2266) (6444f99)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.