ghsa-898v-775g-777c
Vulnerability from github
Impact
MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare() + execute() without semantic restrictions.
This is consistent with the name (“write tool”), but in an LLM/agent context it becomes a high-risk capability: prompt injection or indirect prompt manipulation can cause execution of destructive queries such as DROP TABLE, TRUNCATE, DELETE, ALTER, or privilege-related statements (subject to DB permissions).
Who is impacted: Deployments that expose an agent with MySQLWriteTool enabled to untrusted input and/or run the tool with a DB user that has broad privileges.
Patches
Not patched in: 2.8.11
Recommended improvements (even if keeping the tool intentionally powerful):
-
Provide a safer API that supports only constrained operations (e.g.,
insertRecord,updateRecord) with allowlisted tables/columns. -
Add a policy/allowlist layer (e.g., allow only
INSERT/UPDATEon selected tables; forbidDROP/TRUNCATE/ALTER/GRANT). -
Add optional review workflow: log + require human approval for high-risk statements; or “dry-run” mode.
-
Document strongly that the tool must not be exposed to untrusted prompts without additional safeguards.
Workarounds
-
Do not enable
MySQLWriteToolfor public/untrusted agents. -
Use a dedicated DB user with least privilege:
-
no
DROP, noALTER, noGRANT, no access to sensitive tables unless necessary -
Add an application-layer policy rejecting high-risk statements (
DROP,TRUNCATE,ALTER,GRANT,REVOKE,CREATE USER, etc.). -
Implement authorization gating for tool calls (RBAC, allow tool use only for trusted operators).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.8.11"
},
"package": {
"ecosystem": "Packagist",
"name": "neuron-core/neuron-ai"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-67510"
],
"database_specific": {
"cwe_ids": [
"CWE-250",
"CWE-284"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-09T17:19:42Z",
"nvd_published_at": "2025-12-10T23:15:48Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\n`MySQLWriteTool` executes arbitrary SQL provided by the caller using `PDO::prepare()` + `execute()` without semantic restrictions. \n\nThis is consistent with the name (\u201cwrite tool\u201d), but in an LLM/agent context it becomes a high-risk capability: prompt injection or indirect prompt manipulation can cause execution of destructive queries such as `DROP TABLE`, `TRUNCATE`, `DELETE`, `ALTER`, or privilege-related statements (subject to DB permissions).\n\n\n\n**Who is impacted:** Deployments that expose an agent with `MySQLWriteTool` enabled to untrusted input and/or run the tool with a DB user that has broad privileges.\n\n### Patches\n\n**Not patched in:** 2.8.11 \n\nRecommended improvements (even if keeping the tool intentionally powerful):\n\n- Provide a safer API that supports only constrained operations (e.g., `insertRecord`, `updateRecord`) with allowlisted tables/columns.\n\n- Add a policy/allowlist layer (e.g., allow only `INSERT`/`UPDATE` on selected tables; forbid `DROP/TRUNCATE/ALTER/GRANT`).\n\n- Add optional review workflow: log + require human approval for high-risk statements; or \u201cdry-run\u201d mode.\n\n- Document strongly that the tool must not be exposed to untrusted prompts without additional safeguards.\n\n\n\n### Workarounds\n\n- Do not enable `MySQLWriteTool` for public/untrusted agents.\n\n- Use a dedicated DB user with **least privilege**:\n\n - no `DROP`, no `ALTER`, no `GRANT`, no access to sensitive tables unless necessary\n\n- Add an application-layer policy rejecting high-risk statements (`DROP`, `TRUNCATE`, `ALTER`, `GRANT`, `REVOKE`, `CREATE USER`, etc.).\n\n- Implement authorization gating for tool calls (RBAC, allow tool use only for trusted operators).",
"id": "GHSA-898v-775g-777c",
"modified": "2025-12-11T15:49:17Z",
"published": "2025-12-09T17:19:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/neuron-core/neuron-ai/security/advisories/GHSA-898v-775g-777c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67510"
},
{
"type": "WEB",
"url": "https://github.com/neuron-core/neuron-ai/commit/44bab85d92bf162898ee48d0bcef6ba0d29b59c9"
},
{
"type": "PACKAGE",
"url": "https://github.com/neuron-core/neuron-ai"
},
{
"type": "WEB",
"url": "https://github.com/neuron-core/neuron-ai/releases/tag/2.8.12"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Neuron MySQLWriteTool allows arbitrary/destructive SQL when exposed to untrusted prompts (agent \u201cfootgun\u201d)"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.