Versions of `mysql` prior to 2.0.0-alpha8 are affected by a SQL Injection vulnerability in the `mysql.escape()` function, which does not properly escape object keys.

## Recommendation

Update to version 2.0.0-alpha8 or later.

Affected Packages

npm mysql

Affected versions: 0 (fixed in 2.0.0-alpha8)

Related CVEs

CVE-2015-9244

Key Information

GHSA ID

GHSA-fvq6-55gv-jx9f

Published

September 1, 2020 3:21 PM

Last Modified

August 31, 2020 6:09 PM

CVSS Score

5.0 /10

Primary Ecosystem

npm

Primary Package

mysql

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 4, 2025 6:27 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.