Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Keys of objects in mysql node module v2.0.0-alpha7 and earlier are not escaped with mysql.escape() which could lead to SQL Injection.
Advisories for Npm/Mysql package
2020
2019
Information Exposure
An issue was discovered in the mysql (aka mysqljs) module for Node.js. The LOAD DATA LOCAL INFILE option is open by default.
Remote Memory Exposure in mysql
Versions of mysql before 2.14.0 is vulnerable to remove memory exposure. Affected versions of mysql package allocate and send an uninitialized memory over the network when a number is provided as a password. Only mysql running on Node.js versions below 6.0.0 is affected due to a throw added in newer node.js versions. Proof of Concept: require('mysql').createConnection({ host: 'localhost', user: 'user', password : USERPROVIDEDINPUT, // number database : 'my_db' }).connect(); Recommendation …
2015
SQL Injection due to unescaped object keys
Keys of objects are not escaped with mysql.escape() which could lead to SQL Injection.