MySQLWriteTool allows arbitrary/destructive SQL when exposed to untrusted prompts (agent “footgun”)
Description
Neuron is a PHP framework for creating and orchestrating AI Agents. In versions 2.8.11 and below, the MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare() + execute() without semantic restrictions. This is consistent with the name (“write tool”), but in an LLM/agent context it becomes a high-risk capability: prompt injection or indirect prompt manipulation can cause execution of destructive queries such as DROP TABLE, TRUNCATE, DELETE, ALTER, or privilege-related statements (subject to DB permissions). Deployments that expose an agent with MySQLWriteTool enabled to untrusted input and/or run the tool with a DB user that has broad privileges are impacted. This issue is fixed in version 2.8.12.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MySQLWriteTool in Neuron PHP framework <=2.8.11 allows arbitrary SQL execution via prompt injection, enabling destructive database queries.
Summary
CVE-2025-67510 affects the MySQLWriteTool in the Neuron PHP framework (versions 2.8.11 and below). The tool executes arbitrary SQL provided by the caller using PDO::prepare() and execute() without semantic restrictions [1][2]. While this behavior is intentional for legitimate database write operations, in the context of an LLM agent it becomes a high-risk capability [2][3].
Root
Cause and Exploitation
The vulnerability is rooted in the lack of semantic validation on SQL queries passed to the MySQLWriteTool [2]. An attacker can leverage prompt injection or indirect prompt manipulation to coerce the agent into executing destructive SQL commands [2][3]. The attack surface is agents exposed to untrusted input, such as public-facing chatbots or tools that process user-supplied prompts [2][3]. No additional authentication is required beyond the agent's existing database user permissions [2].
Impact
Successful exploitation can result in execution of arbitrary SQL statements including DROP TABLE, TRUNCATE, DELETE, ALTER, and privilege-related statements [2][3]. The actual impact depends on the database user's permissions – if the agent's DB user has broad privileges, an attacker could drop entire tables or modify database schemas [2]. This could lead to data loss, service disruption, or unauthorized data manipulation [2].
Mitigation
The issue is fixed in version 2.8.12 [2][3]. The commit [4] shows that the fix adds a keyword validation layer that rejects dangerous statements. Recommended workarounds include disabling MySQLWriteTool for untrusted agents, using a dedicated least-privilege DB user, and implementing application-layer policy to block high-risk SQL commands [3].
- GitHub - neuron-core/neuron-ai: The PHP Agentic Framework to build production-ready AI driven applications. Connect components (LLMs, vector DBs, memory) to agents that can interact with your data.
- NVD - CVE-2025-67510
- MySQLWriteTool allows arbitrary/destructive SQL when exposed to untrusted prompts (agent “footgun”)
- fix security vulnerability in mysql tools · neuron-core/neuron-ai@44bab85
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
neuron-core/neuron-aiPackagist | < 2.8.12 | 2.8.12 |
Affected products
1- Range: < 2.8.12
Patches
144bab85d92bffix security vulnerability in mysql tools
1 file changed · +1 −1
src/Tools/Toolkits/MySQL/MySQLWriteTool.php+1 −1 modified@@ -97,7 +97,7 @@ public function __invoke(string $query, ?array $parameters = []): string return "Query executed successfully. {$rowCount} row(s) affected."; } - protected function validate($query): bool + protected function validate(string $query): bool { // Check for forbidden keywords that might be in subqueries foreach ($this->forbiddenStatements as $forbidden) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-898v-775g-777cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-67510ghsaADVISORY
- github.com/neuron-core/neuron-ai/commit/44bab85d92bf162898ee48d0bcef6ba0d29b59c9ghsax_refsource_MISCWEB
- github.com/neuron-core/neuron-ai/releases/tag/2.8.12ghsax_refsource_MISCWEB
- github.com/neuron-core/neuron-ai/security/advisories/GHSA-898v-775g-777cghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.