CVE-2025-30224

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-30224
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30224.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-30224
Aliases
  • GHSA-r8qc-xp3g-c458
Related
Published
2025-04-01T15:16:05Z
Modified
2025-04-01T22:59:21.284385Z
Summary
[none]
Details

MyDumper is a MySQL Logical Backup Tool. The MySQL C client library (libmysqlclient) allows authenticated remote actors to read arbitrary files from client systems via a crafted server response to LOAD LOCAL INFILE query, leading to sensitive information disclosure when clients connect to untrusted MySQL servers without explicitly disabling the local infile capability. Mydumper has the local infile option enabled by default and does not have an option to disable it. This can lead to an unexpected arbitrary file read if the Mydumper tool connects to an untrusted server. This vulnerability is fixed in 0.18.2-8.

References

Affected packages

Debian:11 / mydumper

Package

Name
mydumper
Purl
pkg:deb/debian/mydumper?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.10.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / mydumper

Package

Name
mydumper
Purl
pkg:deb/debian/mydumper?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.10.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}