Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon : character within a value of the attacker-crafted key.
Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.
Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.
Release Notes
sidorares/node-mysql2 (mysql2)
### [`v3.9.7`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#397-2024-04-21)
[Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.9.6...v3.9.7)
##### Bug Fixes
- **security:** sanitize timezone parameter value to prevent code injection ([#2608](https://togithub.com/sidorares/node-mysql2/issues/2608)) ([7d4b098](https://togithub.com/sidorares/node-mysql2/commit/7d4b098c7e29d5a6cb9eac2633bfcc2f0f1db713))
### [`v3.9.6`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#396-2024-04-18)
[Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.9.5...v3.9.6)
##### Bug Fixes
- binary parser sometimes reads out of packet bounds when results contain null and typecast is false ([#2601](https://togithub.com/sidorares/node-mysql2/issues/2601)) ([705835d](https://togithub.com/sidorares/node-mysql2/commit/705835d06ff437cf0bf3169dac0a5f68002c4f87))
### [`v3.9.5`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#395-2024-04-17)
[Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.9.4...v3.9.5)
##### Bug Fixes
- revert breaking change in results creation ([#2591](https://togithub.com/sidorares/node-mysql2/issues/2591)) ([f7c60d0](https://togithub.com/sidorares/node-mysql2/commit/f7c60d01a49666130f51d3847ccfdd3d6e3d33e9))
### [`v3.9.4`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#394-2024-04-09)
[Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.9.3...v3.9.4)
##### Bug Fixes
- **docs:** improve the contribution guidelines ([#2552](https://togithub.com/sidorares/node-mysql2/issues/2552)) ([8a818ce](https://togithub.com/sidorares/node-mysql2/commit/8a818ce0f30654eba854759e6409c0ac856fc448))
- **security:** improve results object creation ([#2574](https://togithub.com/sidorares/node-mysql2/issues/2574)) ([4a964a3](https://togithub.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691))
- **security:** improve supportBigNumbers and bigNumberStrings sanitization ([#2572](https://togithub.com/sidorares/node-mysql2/issues/2572)) ([74abf9e](https://togithub.com/sidorares/node-mysql2/commit/74abf9ef94d76114d9a09415e28b496522a94805))
### [`v3.9.3`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#393-2024-03-26)
[Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.9.2...v3.9.3)
##### Bug Fixes
- **security:** improve cache key formation ([#2424](https://togithub.com/sidorares/node-mysql2/issues/2424)) ([0d54b0c](https://togithub.com/sidorares/node-mysql2/commit/0d54b0ca6498c823098426038162ef10df02c818))
- Fixes a potential parser cache poisoning attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
- update Amazon RDS SSL CA cert ([#2131](https://togithub.com/sidorares/node-mysql2/pull/2131)) ([d9dccfd](https://togithub.com/sidorares/node-mysql2/commit/d9dccfd837d701f377574b85a05586be89015460))
### [`v3.9.2`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#392-2024-02-26)
[Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.9.1...v3.9.2)
##### Bug Fixes
- **stream:** premature close when it is paused ([#2416](https://togithub.com/sidorares/node-mysql2/issues/2416)) ([7c6bc64](https://togithub.com/sidorares/node-mysql2/commit/7c6bc642addb3e6fee1b1fdc84f83a72ff11ca4a))
- **types:** expose TypeCast types ([#2425](https://togithub.com/sidorares/node-mysql2/issues/2425)) ([336a7f1](https://togithub.com/sidorares/node-mysql2/commit/336a7f1259c63d2dfe070fe400b141e89255844e))
### [`v3.9.1`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#391-2024-01-29)
[Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.9.0...v3.9.1)
##### Bug Fixes
- **types:** support encoding for string type cast ([#2407](https://togithub.com/sidorares/node-mysql2/issues/2407)) ([1dc2011](https://togithub.com/sidorares/node-mysql2/commit/1dc201144daceab0b12193ada0f13dbb25e917f6))
### [`v3.9.0`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#390-2024-01-26)
[Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.8.0...v3.9.0)
##### Features
- introduce typeCast for `execute` method ([#2398](https://togithub.com/sidorares/node-mysql2/issues/2398)) ([baaa92a](https://togithub.com/sidorares/node-mysql2/commit/baaa92a228d32012f7da07826674f7a736e3791d))
### [`v3.8.0`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#380-2024-01-23)
[Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.7.1...v3.8.0)
##### Features
- **perf:** cache iconv decoder ([#2391](https://togithub.com/sidorares/node-mysql2/issues/2391)) ([b95b3db](https://togithub.com/sidorares/node-mysql2/commit/b95b3dbe4bb34e36d0d1be6948e4d8a169d28eed))
##### Bug Fixes
- **stream:** premature close when using `for await` ([#2389](https://togithub.com/sidorares/node-mysql2/issues/2389)) ([af47148](https://togithub.com/sidorares/node-mysql2/commit/af4714845603f70e3c1ef635f6c0750ff1987a9e))
- The removeIdleTimeoutConnectionsTimer did not clean up when the … ([#2384](https://togithub.com/sidorares/node-mysql2/issues/2384)) ([18a44f6](https://togithub.com/sidorares/node-mysql2/commit/18a44f6a0a0b7ef41cc874d7a7bb2d3db83ea533))
- **types:** add missing types to TypeCast ([#2390](https://togithub.com/sidorares/node-mysql2/issues/2390)) ([78ce495](https://togithub.com/sidorares/node-mysql2/commit/78ce4953e9c66d6cf40ffc2d252fa3701a2d4fe2))
### [`v3.7.1`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#371-2024-01-17)
[Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.7.0...v3.7.1)
##### Bug Fixes
- add condition which allows code in callback to be reachable ([#2376](https://togithub.com/sidorares/node-mysql2/issues/2376)) ([8d5b903](https://togithub.com/sidorares/node-mysql2/commit/8d5b903f5c24ef6378d4aa98d3fd4e13d39be4db))
### [`v3.7.0`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#370-2024-01-07)
[Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.6.5...v3.7.0)
##### Features
- **docs:** release documentation website ([#2339](https://togithub.com/sidorares/node-mysql2/issues/2339)) ([c0d77c0](https://togithub.com/sidorares/node-mysql2/commit/c0d77c02d2f4ad22b46a712d270fc2654d26de4e))
Configuration
📅 Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - "before 4am" in timezone Asia/Tokyo.
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
3.6.5
->3.9.7
GitHub Vulnerability Alerts
CVE-2024-21507
Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the
keyFromFields
function, resulting in cache poisoning. An attacker can inject a colon:
character within a value of the attacker-crafted key.CVE-2024-21508
Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the
readCodeFor
function due to improper validation of thesupportBigNumbers
andbigNumberStrings
values.CVE-2024-21509
Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through
parserFn
intext_parser.js
andbinary_parser.js
.CVE-2024-21511
Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.
Release Notes
sidorares/node-mysql2 (mysql2)
### [`v3.9.7`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#397-2024-04-21) [Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.9.6...v3.9.7) ##### Bug Fixes - **security:** sanitize timezone parameter value to prevent code injection ([#2608](https://togithub.com/sidorares/node-mysql2/issues/2608)) ([7d4b098](https://togithub.com/sidorares/node-mysql2/commit/7d4b098c7e29d5a6cb9eac2633bfcc2f0f1db713)) ### [`v3.9.6`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#396-2024-04-18) [Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.9.5...v3.9.6) ##### Bug Fixes - binary parser sometimes reads out of packet bounds when results contain null and typecast is false ([#2601](https://togithub.com/sidorares/node-mysql2/issues/2601)) ([705835d](https://togithub.com/sidorares/node-mysql2/commit/705835d06ff437cf0bf3169dac0a5f68002c4f87)) ### [`v3.9.5`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#395-2024-04-17) [Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.9.4...v3.9.5) ##### Bug Fixes - revert breaking change in results creation ([#2591](https://togithub.com/sidorares/node-mysql2/issues/2591)) ([f7c60d0](https://togithub.com/sidorares/node-mysql2/commit/f7c60d01a49666130f51d3847ccfdd3d6e3d33e9)) ### [`v3.9.4`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#394-2024-04-09) [Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.9.3...v3.9.4) ##### Bug Fixes - **docs:** improve the contribution guidelines ([#2552](https://togithub.com/sidorares/node-mysql2/issues/2552)) ([8a818ce](https://togithub.com/sidorares/node-mysql2/commit/8a818ce0f30654eba854759e6409c0ac856fc448)) - **security:** improve results object creation ([#2574](https://togithub.com/sidorares/node-mysql2/issues/2574)) ([4a964a3](https://togithub.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691)) - **security:** improve supportBigNumbers and bigNumberStrings sanitization ([#2572](https://togithub.com/sidorares/node-mysql2/issues/2572)) ([74abf9e](https://togithub.com/sidorares/node-mysql2/commit/74abf9ef94d76114d9a09415e28b496522a94805)) ### [`v3.9.3`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#393-2024-03-26) [Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.9.2...v3.9.3) ##### Bug Fixes - **security:** improve cache key formation ([#2424](https://togithub.com/sidorares/node-mysql2/issues/2424)) ([0d54b0c](https://togithub.com/sidorares/node-mysql2/commit/0d54b0ca6498c823098426038162ef10df02c818)) - Fixes a potential parser cache poisoning attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab - update Amazon RDS SSL CA cert ([#2131](https://togithub.com/sidorares/node-mysql2/pull/2131)) ([d9dccfd](https://togithub.com/sidorares/node-mysql2/commit/d9dccfd837d701f377574b85a05586be89015460)) ### [`v3.9.2`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#392-2024-02-26) [Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.9.1...v3.9.2) ##### Bug Fixes - **stream:** premature close when it is paused ([#2416](https://togithub.com/sidorares/node-mysql2/issues/2416)) ([7c6bc64](https://togithub.com/sidorares/node-mysql2/commit/7c6bc642addb3e6fee1b1fdc84f83a72ff11ca4a)) - **types:** expose TypeCast types ([#2425](https://togithub.com/sidorares/node-mysql2/issues/2425)) ([336a7f1](https://togithub.com/sidorares/node-mysql2/commit/336a7f1259c63d2dfe070fe400b141e89255844e)) ### [`v3.9.1`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#391-2024-01-29) [Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.9.0...v3.9.1) ##### Bug Fixes - **types:** support encoding for string type cast ([#2407](https://togithub.com/sidorares/node-mysql2/issues/2407)) ([1dc2011](https://togithub.com/sidorares/node-mysql2/commit/1dc201144daceab0b12193ada0f13dbb25e917f6)) ### [`v3.9.0`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#390-2024-01-26) [Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.8.0...v3.9.0) ##### Features - introduce typeCast for `execute` method ([#2398](https://togithub.com/sidorares/node-mysql2/issues/2398)) ([baaa92a](https://togithub.com/sidorares/node-mysql2/commit/baaa92a228d32012f7da07826674f7a736e3791d)) ### [`v3.8.0`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#380-2024-01-23) [Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.7.1...v3.8.0) ##### Features - **perf:** cache iconv decoder ([#2391](https://togithub.com/sidorares/node-mysql2/issues/2391)) ([b95b3db](https://togithub.com/sidorares/node-mysql2/commit/b95b3dbe4bb34e36d0d1be6948e4d8a169d28eed)) ##### Bug Fixes - **stream:** premature close when using `for await` ([#2389](https://togithub.com/sidorares/node-mysql2/issues/2389)) ([af47148](https://togithub.com/sidorares/node-mysql2/commit/af4714845603f70e3c1ef635f6c0750ff1987a9e)) - The removeIdleTimeoutConnectionsTimer did not clean up when the … ([#2384](https://togithub.com/sidorares/node-mysql2/issues/2384)) ([18a44f6](https://togithub.com/sidorares/node-mysql2/commit/18a44f6a0a0b7ef41cc874d7a7bb2d3db83ea533)) - **types:** add missing types to TypeCast ([#2390](https://togithub.com/sidorares/node-mysql2/issues/2390)) ([78ce495](https://togithub.com/sidorares/node-mysql2/commit/78ce4953e9c66d6cf40ffc2d252fa3701a2d4fe2)) ### [`v3.7.1`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#371-2024-01-17) [Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.7.0...v3.7.1) ##### Bug Fixes - add condition which allows code in callback to be reachable ([#2376](https://togithub.com/sidorares/node-mysql2/issues/2376)) ([8d5b903](https://togithub.com/sidorares/node-mysql2/commit/8d5b903f5c24ef6378d4aa98d3fd4e13d39be4db)) ### [`v3.7.0`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#370-2024-01-07) [Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.6.5...v3.7.0) ##### Features - **docs:** release documentation website ([#2339](https://togithub.com/sidorares/node-mysql2/issues/2339)) ([c0d77c0](https://togithub.com/sidorares/node-mysql2/commit/c0d77c02d2f4ad22b46a712d270fc2654d26de4e))Configuration
📅 Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - "before 4am" in timezone Asia/Tokyo.
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.