mysql@2.0.0-alpha3 vulnerabilities

A node.js driver for mysql. It is written in JavaScript, does not require compiling, and is 100% MIT licensed.

Direct Vulnerabilities

Known vulnerabilities in the mysql package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • L
Uninitialized Memory Exposure

mysql is a node.js driver for mysql.

Affected versions of the package are vulnerable due to the unsafe use of the Buffer() method. Uninitialized memory may be exposed when a value of type number is provided to various methods in mysql which require allocation of buffers and results in concatenation of uninitialized memory to the buffer collection.

This vulnerability is unlikely to be exploited, but may be possible if a server-side mysql accepts typed input for passwords from the client even though the user doesn’t control the server-side code (i.e through JSON format).

How to fix Uninitialized Memory Exposure?

Upgrade mysql to version 2.14.0 or higher. Note This is vulnerable only for Node <=4

<2.14.0
  • H
SQL Injection

mysql is a node.js driver for mysql. Affected versions of this package do not properly escape column identifiers with mysql.escape() and can result in SQL injection vulnerability.

How to fix SQL Injection?

Upgrade mysql to version >=v2.0.0-alpha8 or higher.

>=2.0.0-alpha <2.0.0-alpha8