CVE-2024-21511 Overview
CVE-2024-21511 is an Arbitrary Code Injection vulnerability affecting the mysql2 Node.js package in versions prior to 3.9.7. The vulnerability exists due to improper sanitization of the timezone parameter in the readCodeFor function, which allows attackers to inject and execute arbitrary code by manipulating native MySQL Server date/time function calls.
Critical Impact
This vulnerability allows remote attackers to execute arbitrary code on systems running vulnerable versions of the mysql2 package without requiring authentication, potentially leading to complete system compromise.
Affected Products
- mysql2 npm package versions before 3.9.7
- Node.js applications using vulnerable mysql2 versions
- Backend services relying on mysql2 for MySQL database connectivity
Discovery Timeline
- April 23, 2024 - CVE-2024-21511 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2024-21511
Vulnerability Analysis
This Code Injection vulnerability (CWE-94) exists in the mysql2 package's binary and text parser modules. The vulnerability stems from unsafe handling of the timezone parameter when constructing dynamic code strings that are subsequently executed. When processing date/time fields from MySQL, the parser functions build code strings that include the timezone value without proper escaping or sanitization. An attacker who can control the timezone configuration value can inject malicious JavaScript code that will be executed when the parser processes date/time data from the database.
The attack is particularly dangerous because it requires no privileges to exploit and can be triggered remotely across the network. Successful exploitation results in complete compromise of confidentiality, integrity, and availability of the affected system.
Root Cause
The root cause lies in the readCodeFor function within both lib/parsers/binary_parser.js and lib/parsers/text_parser.js. These parsers construct JavaScript code strings by directly interpolating the timezone parameter value using template literals without proper escaping. When the timezone value contains malicious code, it gets executed as part of the dynamically generated parser function.
Attack Vector
The attack exploits the network-accessible nature of applications using the mysql2 package. An attacker can inject arbitrary JavaScript code through a maliciously crafted timezone parameter. Since the parser dynamically generates and executes code containing this parameter, any injected payload will be executed with the privileges of the Node.js application. This could allow an attacker to:
- Execute arbitrary system commands
- Access sensitive data and environment variables
- Establish persistent backdoors
- Pivot to other systems on the network
// Security patch in lib/parsers/binary_parser.js
case Types.TIMESTAMP:
case Types.NEWDATE:
if (helpers.typeMatch(field.columnType, dateStrings, Types)) {
- return `packet.readDateTimeString(${field.decimals});`;
+ return `packet.readDateTimeString(${parseInt(field.decimals, 10)});`;
}
- return `packet.readDateTime('${timezone}');`;
+ return `packet.readDateTime(${helpers.srcEscape(timezone)});`;
case Types.TIME:
return 'packet.readTimeString()';
case Types.DECIMAL:
Source: GitHub Commit Details
// Security patch in lib/parsers/text_parser.js
if (helpers.typeMatch(type, dateStrings, Types)) {
return 'packet.readLengthCodedString("ascii")';
}
- return `packet.parseDate('${timezone}')`;
+ return `packet.parseDate(${helpers.srcEscape(timezone)})`;
case Types.DATETIME:
case Types.TIMESTAMP:
if (helpers.typeMatch(type, dateStrings, Types)) {
return 'packet.readLengthCodedString("ascii")';
}
- return `packet.parseDateTime('${timezone}')`;
+ return `packet.parseDateTime(${helpers.srcEscape(timezone)})`;
case Types.TIME:
return 'packet.readLengthCodedString("ascii")';
case Types.GEOMETRY:
Source: GitHub Commit Details
Detection Methods for CVE-2024-21511
Indicators of Compromise
- Unexpected outbound network connections from Node.js application processes
- Anomalous system command execution originating from Node.js processes
- Unusual modifications to timezone configuration values in database connection settings
- Suspicious child processes spawned by the Node.js application
Detection Strategies
- Monitor for package versions in package.json or package-lock.json files containing mysql2 versions below 3.9.7
- Implement runtime application self-protection (RASP) to detect code injection attempts
- Use software composition analysis (SCA) tools to identify vulnerable dependencies
- Deploy web application firewalls (WAF) with rules to detect code injection patterns in timezone-related parameters
Monitoring Recommendations
- Enable detailed logging for database connection configurations and parameter values
- Monitor Node.js process behavior for unexpected code execution patterns
- Set up alerts for modifications to database connection settings, particularly timezone values
- Implement integrity monitoring for application dependencies and lock files
How to Mitigate CVE-2024-21511
Immediate Actions Required
- Upgrade the mysql2 package to version 3.9.7 or later immediately
- Audit all applications using mysql2 to identify vulnerable deployments
- Review database connection configurations for any suspicious timezone values
- Implement input validation for any user-controllable configuration parameters
Patch Information
The vulnerability has been fixed in mysql2 version 3.9.7. The fix introduces proper sanitization of the timezone parameter using the helpers.srcEscape() function and applies parseInt() to numeric parameters like decimals. The patch can be reviewed in the GitHub Pull Request and the GitHub Release Version 3.9.7.
Workarounds
- If immediate patching is not possible, ensure timezone configuration values come only from trusted, hardcoded sources
- Implement strict input validation and sanitization for any configuration parameters that could influence database connections
- Consider temporarily disabling dynamic timezone configuration until the patch can be applied
- Deploy network segmentation to limit the blast radius of potential exploitation
# Update mysql2 package to patched version
npm update mysql2@3.9.7
# Or install the specific patched version
npm install mysql2@3.9.7
# Verify installed version
npm list mysql2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
