July 2018 – CVE-2018-3754 All versions of query-mysql are vulnerable to SQL injection

As time goes by node.js and MYSQL database become another technology trend in IT world. Before Node.js, Javascript was only used for client-side development. It was necessary to use a different server-side programming language. Nowadays web applications deploy Javascript, making app deployment much easier and more efficient.

But web application developer must staying alert. However a vulnerability was found. The Node.js third-party module query-mysql versions 0.0.0, 0.0.1, and 0.0.2 are vulnerable to an SQL injection vulnerability due to lack of user input sanitization. This may allow an attacker to run arbitrary SQL queries when fetching data from database.

Should you have interested, please see below: