VYPR
← All advisories
Critical severityOSV Advisory· Published Dec 2, 2025· Updated Dec 3, 2025

CVE-2025-65896

CVE-2025-65896

Description

SQL injection vulnerability in long2ice assyncmy thru 0.2.10 allows attackers to execute arbitrary SQL commands via crafted dict keys.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2025-65896: SQL injection in asyncmy ≤0.2.10 via unsanitized dict keys, allowing arbitrary SQL execution.

Vulnerability

Description asyncmy, an asyncio MySQL/MariaDB driver, contains a SQL injection vulnerability in versions up to 0.2.10. The flaw resides in the escape_dict function within converters.pyx, where only dictionary values are escaped using escape_item, but dictionary keys are left unescaped [1][3]. This oversight allows an attacker to inject arbitrary SQL commands by providing crafted dict keys.

Exploitation

An attacker can exploit this by controlling the keys of a dictionary passed to a query. For example, if a dict is used in a SQL statement, the key string is inserted directly into the query without sanitization. The attacker does not need authentication if the vulnerable code path is exposed to user input. The attack vector is through network requests that supply such malicious dicts [3].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL commands on the database. This can lead to data exfiltration, modification, or deletion, and in some cases, full compromise of the database server.

Mitigation

The maintainer has likely addressed this in versions after 0.2.10 (e.g., 0.2.12). Users should upgrade to the latest version. No official advisory or fix was found in the provided references, but the issue #134 documents the problem [3].

References
  1. GitHub - long2ice/asyncmy: A fast asyncio MySQL/MariaDB driver with replication protocol support
  2. [SECURITY] SQL injection when handling dict input

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
asyncmyPyPI
<= 0.2.11

Affected products

2
  • Long2ice/AsyncmyOSV2 versions
    v0.1.0, v0.1.1, v0.1.2, …+ 1 more
    • (no CPE)range: v0.1.0, v0.1.1, v0.1.2, …
    • (no CPE)range: <=0.2.10

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.