AIKIDO-2026-10225
mysql2 is vulnerable to SQL Injection
75
High Risk
This Affects:
mysql2TL;DR
Affected versions of this package contain an SQL injection vulnerability due to inconsistent escape behavior based on parameter value types. The library’s escape functions (connection.escape(), mysql.escape(), pool.escape()) handle different types (e.g., strings, numbers, objects) differently, and when non-string types such as Object are passed into parameterized queries, the resulting SQL can be altered in unexpected ways that allow an attacker to inject SQL logic and bypass intended controls. This can lead to authentication bypass and other injection impacts even in code that appears to use proper escaping. The root cause is the escape logic’s type-dependent behavior, and mitigation requires enforcing strict type handling or configuration (such as enabling stringifyObjects) before executing queries to ensure safe escaping of all input types.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
mysql2 is vulnerable to SQL Injection in versions 0.0.1 - 3.16.3.
How to fix this
Upgrade the mysql2 library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant