Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-898v-775g-777c: Neuron MySQLWriteTool allows arbitrary/destructive SQL when exposed to untrusted prompts (agent “footgun”)

Impact

MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare() + execute() without semantic restrictions.

This is consistent with the name (“write tool”), but in an LLM/agent context it becomes a high-risk capability: prompt injection or indirect prompt manipulation can cause execution of destructive queries such as DROP TABLE, TRUNCATE, DELETE, ALTER, or privilege-related statements (subject to DB permissions).

Who is impacted: Deployments that expose an agent with MySQLWriteTool enabled to untrusted input and/or run the tool with a DB user that has broad privileges.

Patches

Not patched in: 2.8.11

Recommended improvements (even if keeping the tool intentionally powerful):

  • Provide a safer API that supports only constrained operations (e.g., insertRecord, updateRecord) with allowlisted tables/columns.

  • Add a policy/allowlist layer (e.g., allow only INSERT/UPDATE on selected tables; forbid DROP/TRUNCATE/ALTER/GRANT).

  • Add optional review workflow: log + require human approval for high-risk statements; or “dry-run” mode.

  • Document strongly that the tool must not be exposed to untrusted prompts without additional safeguards.

Workarounds

  • Do not enable MySQLWriteTool for public/untrusted agents.

  • Use a dedicated DB user with least privilege:

    • no DROP, no ALTER, no GRANT, no access to sensitive tables unless necessary

  • Add an application-layer policy rejecting high-risk statements (DROP, TRUNCATE, ALTER, GRANT, REVOKE, CREATE USER, etc.).

  • Implement authorization gating for tool calls (RBAC, allow tool use only for trusted operators).

ghsa
Open in Source
#sql#auth

Impact

MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare() + execute() without semantic restrictions.

This is consistent with the name (“write tool”), but in an LLM/agent context it becomes a high-risk capability: prompt injection or indirect prompt manipulation can cause execution of destructive queries such as DROP TABLE, TRUNCATE, DELETE, ALTER, or privilege-related statements (subject to DB permissions).

Who is impacted: Deployments that expose an agent with MySQLWriteTool enabled to untrusted input and/or run the tool with a DB user that has broad privileges.

Patches

Not patched in: 2.8.11

Recommended improvements (even if keeping the tool intentionally powerful):

  • Provide a safer API that supports only constrained operations (e.g., insertRecord, updateRecord) with allowlisted tables/columns.

  • Add a policy/allowlist layer (e.g., allow only INSERT/UPDATE on selected tables; forbid DROP/TRUNCATE/ALTER/GRANT).

  • Add optional review workflow: log + require human approval for high-risk statements; or “dry-run” mode.

  • Document strongly that the tool must not be exposed to untrusted prompts without additional safeguards.

Workarounds

  • Do not enable MySQLWriteTool for public/untrusted agents.

  • Use a dedicated DB user with least privilege:

    • no DROP, no ALTER, no GRANT, no access to sensitive tables unless necessary

  • Add an application-layer policy rejecting high-risk statements (DROP, TRUNCATE, ALTER, GRANT, REVOKE, CREATE USER, etc.).

  • Implement authorization gating for tool calls (RBAC, allow tool use only for trusted operators).

References

  • GHSA-898v-775g-777c

ghsa: Latest News

GHSA-mr6f-h57v-rpj5: Improper Validation of Query Parameters in Auth0 Next.js SDK
ghsa