mysql before 2.14.0 are vulnerable to remove memory exposure.
Affected versions of
mysql package allocate and send an uninitialized memory over the network when a number is provided as a password.
mysql running on Node.js versions below 6.0.0 is affected due to a throw added in newer node.js versions.
Proof of Concept:
password : USERPROVIDEDINPUT, // number
database : 'my_db'
Update to version 2.14.0 or later.