GHSA-j8g6-5gqc-mq36

Source

https://github.com/advisories/GHSA-j8g6-5gqc-mq36

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-j8g6-5gqc-mq36/GHSA-j8g6-5gqc-mq36.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-j8g6-5gqc-mq36

Aliases

CVE-2025-67509

Published

2025-12-09T17:19:23Z

Modified

2025-12-11T16:22:53.967518Z

Severity

8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N CVSS Calculator

Summary

Neuron MySQLSelectTool “read-only” bypass via `SELECT ... INTO OUTFILE` (file write → potential RCE)

Details

Impact

MySQLSelectTool is intended to be a read-only SQL tool (e.g., for LLM agent querying). However, validation based on the first keyword (e.g., SELECT) and a forbidden-keyword list does not block file-writing constructs such as INTO OUTFILE / INTO DUMPFILE.

As a result, an attacker who can influence the tool input (e.g., prompt injection through a public agent endpoint) may be able to write arbitrary content to files on the DB server.

If the MySQL/MariaDB account has the FILE privilege and server configuration permits writes to a useful location (e.g., a web-accessible directory), the impact can escalate to remote code execution on the application host (for example, by writing a PHP web shell).

Who is impacted: Deployments that expose an agent using MySQLSelectTool to untrusted input and run with overly-permissive DB privileges/configuration.

Patches

Not patched in: 2.8.11

Fixed in: 2.8.12

Recommended fix direction:

Explicitly reject queries containing: INTO, OUTFILE, DUMPFILE, LOAD_FILE, and other file/IO-related functions/clauses.
Prefer AST-based validation (SQL parser) over keyword checks.
Constrain allowed tables/columns and disallow multi-statements.

Workarounds

If you cannot upgrade immediately:

Remove/disable MySQLSelectTool for any agent reachable from untrusted input.
Ensure DB account used by the tool does not have FILE privilege.
Ensure secure_file_priv is set to a directory that is not web-accessible (or restrict it tightly).
Add a defensive query filter at the application layer rejecting INTO OUTFILE, INTO DUMPFILE, LOAD_FILE, ; (multi-statements), and suspicious comment patterns.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-09T17:19:23Z",
    "nvd_published_at": "2025-12-10T23:15:48Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-94"
    ]
}

References

Affected packages

Packagist / neuron-core/neuron-ai

Package

Name: neuron-core/neuron-ai
Purl: pkg:composer/neuron-core/neuron-ai

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.8.12

Affected versions

1.*

1.0.0

1.0.1

1.1.0

1.1.1

1.1.2

1.1.3

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.8

1.2.9

1.2.10

1.2.11

1.2.12

1.2.13

1.2.14

1.2.15

1.2.16

1.2.17

1.2.18

1.2.19

1.2.20

1.2.21

1.2.22

1.2.23

1.2.24

1.2.25

1.3.0

1.3.1

1.3.2

1.4.0

1.4.1

1.4.2

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.6.0

1.7.0

1.7.1

1.7.2

1.8.0

1.8.1

1.8.2

1.8.3

1.8.4

1.8.5

1.8.6

1.8.7

1.8.8

1.8.9

1.8.10

1.8.11

1.8.12

1.8.13

1.8.14

1.8.15

1.8.16

1.8.17

1.8.18

1.8.19

1.9.0

1.9.1

1.9.2

1.9.3

1.9.4

1.9.5

1.9.6

1.9.7

1.9.8

1.9.9

1.9.10

1.9.11

1.9.12

1.9.13

1.9.14

1.9.15

1.9.16

1.9.17

1.9.18

1.9.19

1.9.20

1.9.21

1.9.22

1.9.23

1.9.24

1.9.25

1.9.26

1.9.27

1.9.28

1.9.29

1.9.30

1.9.31

1.9.32

1.9.33

1.9.34

1.9.35

1.9.36

1.9.37

1.10.0

1.10.1

1.10.2

1.10.3

1.10.4

1.10.5

1.10.6

1.10.7

1.10.8

1.10.9

1.10.10

1.10.11

1.10.12

1.10.13

1.10.14

1.10.15

1.10.16

1.10.17

1.10.18

1.10.19

1.10.20

1.11.0

1.11.1

1.11.2

1.11.3

1.11.4

1.11.5

1.11.6

1.11.7

1.11.8

1.11.9

1.11.10

1.12.0

1.12.1

1.12.2

1.12.3

1.12.4

1.12.5

1.12.6

1.12.7

1.12.8

1.12.9

1.12.10

1.12.11

1.12.12

1.12.13

1.12.14

1.12.15

1.12.16

1.12.17

1.12.18

1.13.0

1.13.1

1.13.2

1.13.3

1.14.0

1.14.1

1.14.2

1.14.3

1.14.4

1.14.5

1.14.6

1.14.7

1.14.8

1.14.9

1.14.10

1.14.11

1.14.12

1.14.13

1.14.14

1.14.15

1.14.16

1.14.17

1.14.18

1.14.19

1.14.20

1.14.21

1.14.22

1.14.23

1.14.24

1.14.25

1.14.26

1.14.27

1.14.28

1.14.29

1.15.0

1.15.1

1.15.2

1.15.3

1.15.4

1.15.5

1.15.6

1.15.7

1.15.8

1.15.9

1.15.10

1.15.11

1.15.12

1.15.13

1.15.14

1.15.15

1.15.16

1.15.17

1.15.18

1.15.19

1.15.20

1.15.21

1.15.22

1.16.0

1.16.1

1.16.2

1.16.3

1.16.4

1.16.5

1.16.6

1.16.7

1.16.8

1.16.9

1.16.10

1.16.11

1.16.12

1.16.13

1.16.14

1.16.15

1.16.16

1.16.17

1.16.18

1.16.19

1.16.20

1.16.21

1.16.22

1.16.23

1.17.0

1.17.1

1.17.2

1.17.3

1.17.4

1.17.5

1.17.6

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.1.0

2.1.1

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.10

2.2.11

2.2.12

2.2.13

2.2.14

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.5.4

2.5.5

2.5.6

2.5.7

2.5.8

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.6.7

2.7.0

2.8.0

2.8.1

2.8.2

2.8.3

2.8.4

2.8.5

2.8.6

2.8.7

2.8.8

2.8.9

2.8.10

2.8.11

Database specific

last_known_affected_version_range

"<= 2.8.11"