GHSA-898v-775g-777c

Source

https://github.com/advisories/GHSA-898v-775g-777c

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-898v-775g-777c/GHSA-898v-775g-777c.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-898v-775g-777c

Aliases

CVE-2025-67510

Published

2025-12-09T17:19:42Z

Modified

2025-12-11T16:23:02.135438Z

Severity

9.4 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H CVSS Calculator

Summary

Neuron MySQLWriteTool allows arbitrary/destructive SQL when exposed to untrusted prompts (agent “footgun”)

Details

Impact

MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare() + execute() without semantic restrictions.

This is consistent with the name (“write tool”), but in an LLM/agent context it becomes a high-risk capability: prompt injection or indirect prompt manipulation can cause execution of destructive queries such as DROP TABLE, TRUNCATE, DELETE, ALTER, or privilege-related statements (subject to DB permissions).

Who is impacted: Deployments that expose an agent with MySQLWriteTool enabled to untrusted input and/or run the tool with a DB user that has broad privileges.

Patches

Not patched in: 2.8.11

Recommended improvements (even if keeping the tool intentionally powerful):

Provide a safer API that supports only constrained operations (e.g., insertRecord, updateRecord) with allowlisted tables/columns.
Add a policy/allowlist layer (e.g., allow only INSERT/UPDATE on selected tables; forbid DROP/TRUNCATE/ALTER/GRANT).
Add optional review workflow: log + require human approval for high-risk statements; or “dry-run” mode.
Document strongly that the tool must not be exposed to untrusted prompts without additional safeguards.

Workarounds

Do not enable MySQLWriteTool for public/untrusted agents.
Use a dedicated DB user with least privilege:
- no DROP, no ALTER, no GRANT, no access to sensitive tables unless necessary
Add an application-layer policy rejecting high-risk statements (DROP, TRUNCATE, ALTER, GRANT, REVOKE, CREATE USER, etc.).
Implement authorization gating for tool calls (RBAC, allow tool use only for trusted operators).

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2025-12-10T23:15:48Z",
    "github_reviewed_at": "2025-12-09T17:19:42Z",
    "severity": "CRITICAL",
    "cwe_ids": [
        "CWE-250",
        "CWE-284"
    ]
}

References

Affected packages

Packagist / neuron-core/neuron-ai

Package

Name: neuron-core/neuron-ai
Purl: pkg:composer/neuron-core/neuron-ai

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.8.12

Affected versions

1.*

1.0.0

1.0.1

1.1.0

1.1.1

1.1.2

1.1.3

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.8

1.2.9

1.2.10

1.2.11

1.2.12

1.2.13

1.2.14

1.2.15

1.2.16

1.2.17

1.2.18

1.2.19

1.2.20

1.2.21

1.2.22

1.2.23

1.2.24

1.2.25

1.3.0

1.3.1

1.3.2

1.4.0

1.4.1

1.4.2

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.6.0

1.7.0

1.7.1

1.7.2

1.8.0

1.8.1

1.8.2

1.8.3

1.8.4

1.8.5

1.8.6

1.8.7

1.8.8

1.8.9

1.8.10

1.8.11

1.8.12

1.8.13

1.8.14

1.8.15

1.8.16

1.8.17

1.8.18

1.8.19

1.9.0

1.9.1

1.9.2

1.9.3

1.9.4

1.9.5

1.9.6

1.9.7

1.9.8

1.9.9

1.9.10

1.9.11

1.9.12

1.9.13

1.9.14

1.9.15

1.9.16

1.9.17

1.9.18

1.9.19

1.9.20

1.9.21

1.9.22

1.9.23

1.9.24

1.9.25

1.9.26

1.9.27

1.9.28

1.9.29

1.9.30

1.9.31

1.9.32

1.9.33

1.9.34

1.9.35

1.9.36

1.9.37

1.10.0

1.10.1

1.10.2

1.10.3

1.10.4

1.10.5

1.10.6

1.10.7

1.10.8

1.10.9

1.10.10

1.10.11

1.10.12

1.10.13

1.10.14

1.10.15

1.10.16

1.10.17

1.10.18

1.10.19

1.10.20

1.11.0

1.11.1

1.11.2

1.11.3

1.11.4

1.11.5

1.11.6

1.11.7

1.11.8

1.11.9

1.11.10

1.12.0

1.12.1

1.12.2

1.12.3

1.12.4

1.12.5

1.12.6

1.12.7

1.12.8

1.12.9

1.12.10

1.12.11

1.12.12

1.12.13

1.12.14

1.12.15

1.12.16

1.12.17

1.12.18

1.13.0

1.13.1

1.13.2

1.13.3

1.14.0

1.14.1

1.14.2

1.14.3

1.14.4

1.14.5

1.14.6

1.14.7

1.14.8

1.14.9

1.14.10

1.14.11

1.14.12

1.14.13

1.14.14

1.14.15

1.14.16

1.14.17

1.14.18

1.14.19

1.14.20

1.14.21

1.14.22

1.14.23

1.14.24

1.14.25

1.14.26

1.14.27

1.14.28

1.14.29

1.15.0

1.15.1

1.15.2

1.15.3

1.15.4

1.15.5

1.15.6

1.15.7

1.15.8

1.15.9

1.15.10

1.15.11

1.15.12

1.15.13

1.15.14

1.15.15

1.15.16

1.15.17

1.15.18

1.15.19

1.15.20

1.15.21

1.15.22

1.16.0

1.16.1

1.16.2

1.16.3

1.16.4

1.16.5

1.16.6

1.16.7

1.16.8

1.16.9

1.16.10

1.16.11

1.16.12

1.16.13

1.16.14

1.16.15

1.16.16

1.16.17

1.16.18

1.16.19

1.16.20

1.16.21

1.16.22

1.16.23

1.17.0

1.17.1

1.17.2

1.17.3

1.17.4

1.17.5

1.17.6

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.1.0

2.1.1

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.10

2.2.11

2.2.12

2.2.13

2.2.14

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.5.4

2.5.5

2.5.6

2.5.7

2.5.8

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.6.7

2.7.0

2.8.0

2.8.1

2.8.2

2.8.3

2.8.4

2.8.5

2.8.6

2.8.7

2.8.8

2.8.9

2.8.10

2.8.11

Database specific

last_known_affected_version_range

"<= 2.8.11"