CVE-2025-67509: Neuron MySQLSelectTool “read-only” bypass via `SELECT ... INTO OUTFILE` (file write → potential RCE)
(updated )
MySQLSelectTool is intended to be a read-only SQL tool (e.g., for LLM agent querying). However, validation based on the first keyword (e.g., SELECT) and a forbidden-keyword list does not block file-writing constructs such as INTO OUTFILE / INTO DUMPFILE.
As a result, an attacker who can influence the tool input (e.g., prompt injection through a public agent endpoint) may be able to write arbitrary content to files on the DB server.
If the MySQL/MariaDB account has the FILE privilege and server configuration permits writes to a useful location (e.g., a web-accessible directory), the impact can escalate to remote code execution on the application host (for example, by writing a PHP web shell).
Who is impacted: Deployments that expose an agent using MySQLSelectTool to untrusted input and run with overly-permissive DB privileges/configuration.
References
- github.com/advisories/GHSA-j8g6-5gqc-mq36
- github.com/neuron-core/neuron-ai
- github.com/neuron-core/neuron-ai/commit/72735d0ea133266cf2f5d5d195d41e9dd865289a
- github.com/neuron-core/neuron-ai/releases/tag/2.8.12
- github.com/neuron-core/neuron-ai/security/advisories/GHSA-j8g6-5gqc-mq36
- nvd.nist.gov/vuln/detail/CVE-2025-67509
Code Behaviors & Features
Detect and mitigate CVE-2025-67509 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →