CVE-2025-67509

Impact

MySQLSelectTool is intended to be a read-only SQL tool (e.g., for LLM agent querying). However, validation based on the first keyword (e.g., SELECT) and a forbidden-keyword list does not block file-writing constructs such as INTO OUTFILE / INTO DUMPFILE.  

As a result, an attacker who can influence the tool input (e.g., prompt injection through a public agent endpoint) may be able to write arbitrary content to files on the DB server.

If the MySQL/MariaDB account has the FILE privilege and server configuration permits writes to a useful location (e.g., a web-accessible directory), the impact can escalate to remote code execution on the application host (for example, by writing a PHP web shell).

Who is impacted: Deployments that expose an agent using MySQLSelectTool to untrusted input and run with overly-permissive DB privileges/configuration.

Patches

Not patched in: 2.8.11  

Fixed in: 2.8.12

Recommended fix direction:

• Explicitly reject queries containing: INTO, OUTFILE, DUMPFILE, LOAD_FILE, and other file/IO-related functions/clauses.
• Prefer AST-based validation (SQL parser) over keyword checks.
• Constrain allowed tables/columns and disallow multi-statements.

Workarounds

If you cannot upgrade immediately:

• Remove/disable MySQLSelectTool for any agent reachable from untrusted input.
• Ensure DB account used by the tool does not have FILE privilege.
• Ensure securefilepriv is set to a directory that is not web-accessible (or restrict it tightly).
• Add a defensive query filter at the application layer rejecting INTO OUTFILE, INTO DUMPFILE, LOAD_FILE, ; (multi-statements), and suspicious comment patterns.