Skip to content

[Aikido] Fix 2 security issues in mysql2, undici#944

Closed
aikido-autofix[bot] wants to merge 1 commit intomainfrom
fix/AIK-9971-AIK-9993-update-packages-17197401-mUPR
Closed

[Aikido] Fix 2 security issues in mysql2, undici#944
aikido-autofix[bot] wants to merge 1 commit intomainfrom
fix/AIK-9971-AIK-9993-update-packages-17197401-mUPR

Conversation

@aikido-autofix
Copy link
Copy Markdown
Contributor

@aikido-autofix aikido-autofix Bot commented Feb 23, 2026

Upgrade mysql2 and undici to patch critical SQL injection and content encoding DoS vulnerabilities that could enable remote code execution and resource exhaustion.

✅ Code not affected by breaking changes.

No breaking changes from either package upgrade affect this codebase:

mysql2 (3.12.0 => 3.17.0):

  • PromisePoolCluster.of change: Not used in the codebase

  • SQL injection security fix for objects in queries: The codebase only passes strings and arrays to query()/execute() methods, never objects as query parameters

undici (7.10.0 => 7.18.2):

  • maxRedirections option removal: Not used in the codebase. The only usage of undici.request() found in benchmarks/operations/undici.js and test files does not use this option

All breaking changes by upgrading mysql2 from version 3.12.0 to 3.17.0 (CHANGELOG)

Version Description 
3.13.0
 PromisePoolCluster.of now returns PromisePoolCluster instead of PoolNamespace 
3.17.0
 Security fix resolves a potential SQL injection bypass through objects, which may restrict previously working behavior when passing objects in queries

All breaking changes by upgrading undici from version 7.10.0 to 7.18.2 (CHANGELOG)

Version Description 
7.11.0
 feat: throw error when maxRedirections is used with undici.request() 
7.13.0
 fix: remove deprecated maxRedirections option from types
✅ 2 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description 
AIKIDO-2026-10225
 
HIGH
 [mysql2] SQL injection vulnerability in escape functions due to inconsistent type handling, allowing attackers to inject SQL logic and bypass authentication through non-string parameter types in parameterized queries. 
AIKIDO-2026-10022
 
LOW
 [undici] A malicious server can send HTTP responses with excessive layered Content-Encoding headers, forcing the client into recursive decompression that exhausts CPU and memory resources, causing denial-of-service. This was mitigated by limiting the encoding chain to a maximum of 5 layers.
🔗 Related Tasks

@codecov
Copy link
Copy Markdown

codecov Bot commented Feb 24, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@timokoessler