MySQLSelectTool Read-Only Bypass via SELECT INTO OUTFILE Allows Arbitrary File Write
Description
Neuron is a PHP framework for creating and orchestrating AI Agents. Versions 2.8.11 and below use MySQLSelectTool, which is vulnerable to Read-Only Bypass. MySQLSelectTool is intended to be a read-only SQL tool (e.g., for LLM agent querying, however, validation based on the first keyword (e.g., SELECT) and a forbidden-keyword list does not block file-writing constructs such as INTO OUTFILE / INTO DUMPFILE. As a result, an attacker who can influence the tool input (e.g., via prompt injection through a public agent endpoint) may write arbitrary files to the DB server if the MySQL/MariaDB account has the FILE privilege and server configuration permits writes to a useful location (e.g., a web-accessible directory). This issue is fixed in version 2.8.12.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MySQLSelectTool in Neuron 2.8.11 and below fails to block file-writing SQL constructs, allowing attackers via prompt injection to write arbitrary files and potentially achieve RCE.
The MySQLSelectTool in Neuron (versions ≤2.8.11) [1] is intended as a read-only SQL query tool for AI agents. However, its validation logic, which checks only the first SQL keyword (e.g., SELECT) and a blocklist of forbidden keywords, fails to prohibit file-writing constructs such as INTO OUTFILE and INTO DUMPFILE [2][3].
An attacker who can influence the tool's input—for example, through prompt injection against a public-facing agent endpoint—can inject SQL statements that include SELECT ... INTO OUTFILE [3]. Exploitation requires that the MySQL/MariaDB account has the FILE privilege and that the secure_file_priv variable permits writing to a directory accessible by the application (e.g., a web root) [3].
Successful exploitation allows the attacker to write arbitrary content to files on the database server. If the written file is a PHP web shell placed in a web-accessible directory, this can lead to remote code execution on the application host [3].
The vulnerability is fixed in Neuron version 2.8.12 by adding 'INTO', 'OUTFILE', 'DUMPFILE', and 'LOAD_FILE' to the forbidden statements list [4]. As a workaround, administrators can disable the MySQLSelectTool for agents exposed to untrusted input, ensure the database account lacks FILE privilege, or restrict secure_file_priv to a non-web-accessible directory [3].
- GitHub - neuron-core/neuron-ai: The PHP Agentic Framework to build production-ready AI driven applications. Connect components (LLMs, vector DBs, memory) to agents that can interact with your data.
- NVD - CVE-2025-67509
- MySQLSelectTool “read-only” bypass via `SELECT ... INTO OUTFILE` (file write → potential RCE)
- fix security vulnerability in mysql tools · neuron-core/neuron-ai@72735d0
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
neuron-core/neuron-aiPackagist | < 2.8.12 | 2.8.12 |
Affected products
2- Range: <=2.8.11
- Range: < 2.8.12
Patches
172735d0ea133fix security vulnerability in mysql tools
1 file changed · +1 −1
src/Tools/Toolkits/MySQL/MySQLSelectTool.php+1 −1 modified@@ -23,7 +23,7 @@ class MySQLSelectTool extends Tool protected array $forbiddenStatements = [ 'INSERT', 'UPDATE', 'DELETE', 'DROP', 'CREATE', 'ALTER', 'TRUNCATE', 'REPLACE', 'MERGE', 'CALL', 'EXECUTE', - 'INTO', 'OUTFILE', 'DUMPFILE', 'LOAD_FILE' + 'INTO', 'OUTFILE', 'DUMPFILE', 'LOAD_FILE', ]; public function __construct(protected PDO $pdo)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-j8g6-5gqc-mq36ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-67509ghsaADVISORY
- github.com/neuron-core/neuron-ai/commit/72735d0ea133266cf2f5d5d195d41e9dd865289aghsax_refsource_MISCWEB
- github.com/neuron-core/neuron-ai/releases/tag/2.8.12ghsax_refsource_MISCWEB
- github.com/neuron-core/neuron-ai/security/advisories/GHSA-j8g6-5gqc-mq36ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.