GHSA-4rch-2fh8-94vw · Severity: critical · Ecosystem: npm — MySQL2 for Node Arbitrary Code Injection
Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.
Conclusion & alert: CVE-2024-21511 is rated Moderate Risk (60.7/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 1.03%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.17% | 1.03% | +0.85% |
| 2 | 2026-05-12 | 0.13% | 0.17% | +0.04% |
| 3 | 2025-11-21 | — | 0.13% | — |
Full EPSS history (9 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | [email protected] |
GHSA-4rch-2fh8-94vw · Severity: critical · Ecosystem: npm — MySQL2 for Node Arbitrary Code Injection
| vendor | priority | summary | link |
|---|---|---|---|
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2024-21511 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| No affected products in dataset. | |||