Security Issue: Change stringifyObjects default value to true

[mantrainfosec]

Alarm bells were raised about this in 2022 [1], 2024 [2] and 2025 [3]. The stringifyObjects default is set to false, which makes literally thousands of applications susceptible to SQL Injection.

If the default value had been set to true instead of the current default false, it would have protected all new applications from this vulnerability, which was introduced in node-mysql and later replicated in node-mysql2.

All technical details can be found in [1] and [2]. It is alarming that, although this issue was raised, it has not been fixed since.

[1] https://flattsecurity.medium.com/finding-an-unseen-sql-injection-by-bypassing-escape-functions-in-mysqljs-mysql-90b27f6542b4
[2] #1247 (comment)
[3] https://blog.mantrainfosec.com/blog/18/prepared-statements-prepared-to-be-vulnerable

[wellwelwel]

Hi, @mantrainfosec. If you believe this is indeed a vulnerability, it is recommended to follow the instructions in SECURITY.md and privately submitting a PoC using MySQL2.

Note

It is alarming that, although this issue was raised, it has not been fixed since.

If the issue has already been privately reported to MySQL2 and you haven't received a response, you can also report it privately to Snyk in Vulnerability Disclosure.

Important

Alarm bells were raised about this in 2022 [1], 2024 [2] and 2025 [3].

Publicly disclosing a vulnerability on external blogs and in public issue trackers without giving a chance for resolution (I cannot assume whether the author of Flatt Security Inc. communicated with those responsible at mysqljs/mysql or sqlstring), is not a good practice, especially on detailed blogs where we have no way of knowing that something has been published, sometimes, until it's too late.

[wellwelwel]

cc @sidorares

[mantrainfosec]

I do not intend to start an argument; however, the information was already published in 2022. While I understand that it may not have been formally reported at the time, the issue was also raised in the corresponding GitHub issue in 2024, which appears not to have been addressed.

[wellwelwel]

@mantrainfosec, thanks for the feedback. I'm working on this 🙋🏻‍♂️