Skip to content

Neuron MySQLWriteTool allows arbitrary/destructive SQL when exposed to untrusted prompts (agent “footgun”)

Critical severity GitHub Reviewed Published Dec 9, 2025 in neuron-core/neuron-ai • Updated Dec 9, 2025

Package

composer neuron-core/neuron-ai (Composer)

Affected versions

<= 2.8.11

Patched versions

2.8.12

Description

Impact

MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare() + execute() without semantic restrictions.

This is consistent with the name (“write tool”), but in an LLM/agent context it becomes a high-risk capability: prompt injection or indirect prompt manipulation can cause execution of destructive queries such as DROP TABLE, TRUNCATE, DELETE, ALTER, or privilege-related statements (subject to DB permissions).

Who is impacted: Deployments that expose an agent with MySQLWriteTool enabled to untrusted input and/or run the tool with a DB user that has broad privileges.

Patches

Not patched in: 2.8.11

Recommended improvements (even if keeping the tool intentionally powerful):

  • Provide a safer API that supports only constrained operations (e.g., insertRecord, updateRecord) with allowlisted tables/columns.

  • Add a policy/allowlist layer (e.g., allow only INSERT/UPDATE on selected tables; forbid DROP/TRUNCATE/ALTER/GRANT).

  • Add optional review workflow: log + require human approval for high-risk statements; or “dry-run” mode.

  • Document strongly that the tool must not be exposed to untrusted prompts without additional safeguards.

Workarounds

  • Do not enable MySQLWriteTool for public/untrusted agents.

  • Use a dedicated DB user with least privilege:

    • no DROP, no ALTER, no GRANT, no access to sensitive tables unless necessary

  • Add an application-layer policy rejecting high-risk statements (DROP, TRUNCATE, ALTER, GRANT, REVOKE, CREATE USER, etc.).

  • Implement authorization gating for tool calls (RBAC, allow tool use only for trusted operators).

References

@ilvalerione ilvalerione published to neuron-core/neuron-ai Dec 9, 2025
Published to the GitHub Advisory Database Dec 9, 2025
Reviewed Dec 9, 2025
Last updated Dec 9, 2025

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

EPSS score

Weaknesses

Execution with Unnecessary Privileges

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. Learn more on MITRE.

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Learn more on MITRE.

CVE ID

CVE-2025-67510

GHSA ID

GHSA-898v-775g-777c

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.