8.2

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-j8g6-5gqc-mq36

GHSA-j8g6-5gqc-mq36: Neuron MySQLSelectTool “read-only” bypass via `SELECT ... INTO OUTFILE` (file write → potential RCE)

Impact

MySQLSelectTool is intended to be a read-only SQL tool (e.g., for LLM agent querying). However, validation based on the first keyword (e.g., SELECT) and a forbidden-keyword list does not block file-writing constructs such as INTO OUTFILE / INTO DUMPFILE.

As a result, an attacker who can influence the tool input (e.g., prompt injection through a public agent endpoint) may be able to write arbitrary content to files on the DB server.

If the MySQL/MariaDB account has the FILE privilege and server configuration permits writes to a useful location (e.g., a web-accessible directory), the impact can escalate to remote code execution on the application host (for example, by writing a PHP web shell).

Who is impacted: Deployments that expose an agent using MySQLSelectTool to untrusted input and run with overly-permissive DB privileges/configuration.

Patches

Not patched in: 2.8.11

Fixed in: 2.8.12

Recommended fix direction:

Explicitly reject queries containing: INTO, OUTFILE, DUMPFILE, LOAD_FILE, and other file/IO-related functions/clauses.
Prefer AST-based validation (SQL parser) over keyword checks.
Constrain allowed tables/columns and disallow multi-statements.

Workarounds

If you cannot upgrade immediately:

Remove/disable MySQLSelectTool for any agent reachable from untrusted input.
Ensure DB account used by the tool does not have FILE privilege.
Ensure secure_file_priv is set to a directory that is not web-accessible (or restrict it tightly).
Add a defensive query filter at the application layer rejecting INTO OUTFILE, INTO DUMPFILE, LOAD_FILE, ; (multi-statements), and suspicious comment patterns.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-j8g6-5gqc-mq36

GHSA-j8g6-5gqc-mq36:

8.2

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
neuron-core/neuron-ai	composer	<= 2.8.11	2.8.12

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the MySQLSelectTool class, which is intended for read-only SQL queries but could be exploited to write files. The root cause was an incomplete denylist of SQL keywords. The security advisory and the associated commits, specifically ea49f8c4f35bffb56021a2ea2c9b07817fcc31b6, clearly show the patch that fixed the issue. The patch adds INTO, OUTFILE, DUMPFILE, and LOAD_FILE to the $forbiddenStatements array within the MySQLSelectTool.php file. This array is used by the validateReadOnly method to check if a query is safe to run. The main entry point for the tool is the __invoke method, which takes the user's query and calls validateReadOnly before execution. Because the validation was flawed, both __invoke (as the entry point that trusts the validation) and validateReadOnly (as the function with the flawed logic) are identified as the vulnerable functions. An attacker could craft a SELECT query containing INTO OUTFILE to write a file on the database server, and the vulnerable version of the code would fail to block it.

Vulnerable functions

Neuron\Tools\Toolkits\MySQL\MySQLSelectTool::__invoke

src/Tools/Toolkits/MySQL/MySQLSelectTool.php

This is the main public method of the tool that receives and executes the user-provided SQL query. It calls the `validateReadOnly` function to ensure the query is read-only. Prior to the patch, `validateReadOnly` had an incomplete denylist, allowing `__invoke` to execute malicious queries containing file-writing clauses like `INTO OUTFILE`.

Neuron\Tools\Toolkits\MySQL\MySQLSelectTool::validateReadOnly

src/Tools/Toolkits/MySQL/MySQLSelectTool.php

This function is responsible for validating that a SQL query is read-only by checking it against a list of forbidden keywords. The vulnerability existed because this function's list of forbidden keywords was incomplete and did not include file I/O related clauses such as `INTO`, `OUTFILE`, or `DUMPFILE`. This allowed an attacker to bypass the read-only restriction.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.2

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-j8g6-5gqc-mq36: Neuron MySQLSelectTool “read-only” bypass via `SELECT ... INTO OUTFILE` (file write → potential RCE)

Impact

Patches

Workarounds

GHSA-j8g6-5gqc-mq36:

8.2

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

GHSA-j8g6-5gqc-mq36: Neuron MySQLSelectTool “read-only” bypass via `SELECT ... INTO OUTFILE` (file write → potential RCE)

Impact

Patches

Workarounds

8.2

8.2

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI