Skip to content

[Aikido] Fix security issue in mysql2 via major version upgrade from 2.1.0 to 3.17.0 in server#32

Open
aikido-autofix[bot] wants to merge 1 commit into
masterfrom
fix/aikido-security-KAN-2671update-packages-28406435-g4nn
Open

[Aikido] Fix security issue in mysql2 via major version upgrade from 2.1.0 to 3.17.0 in server#32
aikido-autofix[bot] wants to merge 1 commit into
masterfrom
fix/aikido-security-KAN-2671update-packages-28406435-g4nn

Conversation

@aikido-autofix

@aikido-autofix aikido-autofix Bot commented Apr 30, 2026

Copy link
Copy Markdown

Upgrade mysql2 to fix critical Remote Code Execution vulnerabilities in parameter validation and High severity Prototype Pollution and SQL injection issues.

✅ Code not affected by breaking changes.

✅ No breaking changes from the mysql2 upgrade affect this codebase.

The security fix in version 3.17.0 addresses SQL injection bypass through objects passed in queries. However, this codebase:

  1. Uses Sequelize ORM as the primary database interface (not raw mysql2 queries)

  2. The only direct db.query() call found in server/routes/index.js:47 uses string interpolation with template literals, not parameterized queries with objects

  3. No instances were found where objects are passed as query parameters to mysql2 methods

The codebase does not use the affected pattern (passing objects in queries), so the security fix will not restrict any existing functionality.

All breaking changes by upgrading mysql2 from version 2.1.0 to 3.17.0 (CHANGELOG)

Version Description
3.17.0
Security fix resolves a potential SQL injection bypass through objects, which may restrict previously working behavior where objects were passed in queries
✅ 6 CVEs resolved by this upgrade, including 2 critical 🚨 CVEs

This PR will resolve the following CVEs:

Issue Severity           Description
CVE-2024-21508
🚨 CRITICAL
[mysql2] Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
AIKIDO-2024-10037
🚨 CRITICAL
[mysql2] Affected versions of this package are vulnerable to Remote Code Execution (RCE) via the readCodeFor function (lib/parsers/text_parser.js and lib/parsers/binary_parser.js) due to improper validation of the 'timezone' value.
AIKIDO-2024-10020
HIGH
[mysql2] Affected versions of this package are vulnerable to Remote Code Execution (RCE) via the readCodeFor function, due to improper validation of the supportBigNumbers and bigNumberStrings values. This vulnerability is exploitable when using user-defined database connections.
CVE-2024-21512
HIGH
[mysql2] Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.
AIKIDO-2026-10225
HIGH
[mysql2] SQL injection vulnerability in escape functions due to inconsistent type handling, allowing attackers to inject SQL logic and bypass authentication through non-string parameter types in parameterized queries.
AIKIDO-2024-10019
MEDIUM
[mysql2] Versions of the mysql2 package prior to 3.9.4 are vulnerable to prototype poisoning due to insecure creation of the results object and improper sanitization of user input passed through the parserFn in text_parser.js and binary_parser.js.
🔗 Related Tasks

@aikido-autofix aikido-autofix Bot added bug Something isn't working documentation Improvements or additions to documentation labels Apr 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working documentation Improvements or additions to documentation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants