GMS-2019-136: Remote Memory Exposure in mysql

May 23, 2019 (updated August 3, 2022)

Versions of mysql before 2.14.0 is vulnerable to remove memory exposure.

Affected versions of mysql package allocate and send an uninitialized memory over the network when a number is provided as a password.

Only mysql running on Node.js versions below 6.0.0 is affected due to a throw added in newer node.js versions.

Proof of Concept:

require('mysql').createConnection({
 host: 'localhost',
 user: 'user',
 password : USERPROVIDEDINPUT, // number
 database : 'my_db'
}).connect();

Recommendation

Update to version 2.14.0 or later.

References

github.com/advisories/GHSA-5f7m-mmpc-qhh4
github.com/mysqljs/mysql/commit/310c6a7d1b2e14b63b572dbfbfa10128f20c6d52
nodesecurity.io/advisories/602
www.npmjs.com/advisories/602

Detect and mitigate GMS-2019-136 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →