CVE-2025-67510

Critical

Published: 10 December 2025

Published

10 December 2025

Modified

06 March 2026

KEV Added

—

Patch

—

CVSS Score 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

EPSS Score 0.0014 33.4th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

Neuron is a PHP framework for creating and orchestrating AI Agents. In versions 2.8.11 and below, the MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare() + execute() without semantic restrictions. This is consistent with the name (“write tool”),…

but in an LLM/agent context it becomes a high-risk capability: prompt injection or indirect prompt manipulation can cause execution of destructive queries such as DROP TABLE, TRUNCATE, DELETE, ALTER, or privilege-related statements (subject to DB permissions). Deployments that expose an agent with MySQLWriteTool enabled to untrusted input and/or run the tool with a DB user that has broad privileges are impacted. This issue is fixed in version 2.8.12.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the vulnerability by requiring timely remediation through upgrading to Neuron version 2.8.12, which addresses the arbitrary SQL execution flaw.

AC-6 Least Privilege good match

prevent

Limits damage from arbitrary SQL execution by enforcing least privilege on the database user, preventing destructive queries like DROP TABLE or privilege escalations per CWE-250.

SI-10 Information Input Validation good match

prevent

Prevents prompt injection leading to harmful SQL by validating and sanitizing inputs to the MySQLWriteTool, enforcing semantic restrictions on executed queries.

Security SummaryAI

CVE-2025-67510 is a high-severity vulnerability (CVSS 9.4, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H) in Neuron, a PHP framework for creating and orchestrating AI agents. It affects versions 2.8.11 and below, specifically the MySQLWriteTool component, which executes arbitrary SQL queries supplied by the caller via PDO::prepare() and execute() without semantic restrictions. Although aligned with its "write tool" purpose, this design exposes risks in LLM/agent contexts where unfiltered SQL can lead to destructive actions, mapped to CWEs-250 (Execution with Unnecessary Privileges) and CWE-284 (Improper Access Control).

Remote attackers require no privileges (PR:N) and can exploit the issue over the network (AV:N) with low complexity by using prompt injection or indirect prompt manipulation against agents exposed to untrusted inputs. If the tool runs with a database user possessing broad permissions, this enables execution of harmful queries like DROP TABLE, TRUNCATE, DELETE, ALTER, or privilege-related statements, potentially causing high integrity (I:H) and availability (A:H) impacts with limited confidentiality exposure (C:L).

The issue is addressed in Neuron version 2.8.12. Mitigation involves upgrading immediately, particularly for deployments with MySQLWriteTool enabled on agents handling untrusted data or using high-privilege DB credentials. Key resources include the fixing commit (https://github.com/neuron-core/neuron-ai/commit/44bab85d92bf162898ee48d0bcef6ba0d29b59c9), release notes (https://github.com/neuron-core/neuron-ai/releases/tag/2.8.12), and GitHub security advisory (https://github.com/neuron-core/neuron-ai/security/advisories/GHSA-898v-775g-777c).

This vulnerability underscores AI/ML-specific risks in agent frameworks, where LLM-driven tool calls can amplify privilege misuse without traditional input sanitization. No public evidence of real-world exploitation is available as of publication on 2025-12-10.

Details

CWE(s): CWE-250 CWE-284

Affected Products

neuron-ai

neuron

≤ 2.8.12

AI Security AnalysisAI

AI Category: AI Agent Protocols and Integrations
Risk Domain: LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025: None mapped
MITRE ATLAS Techniques: None mapped
Classification Reason: Neuron is explicitly described as a PHP framework for creating and orchestrating AI Agents, with the vulnerability occurring in an agent tool (MySQLWriteTool) that enables prompt injection risks in LLM/agent contexts.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

T1485 Data Destruction Impact

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

The vulnerability enables arbitrary SQL execution through prompt injection in an exposed AI agent, facilitating exploitation of public-facing applications (T1190), data collection from databases (T1213.006), stored data manipulation via destructive or altering queries (T1565.001), and data destruction (T1485).

References

https://github.com/neuron-core/neuron-ai/commit/44bab85d92bf162898ee48d0bcef6ba0d29b59c9
Patch · security-advisories@github.com
https://github.com/neuron-core/neuron-ai/releases/tag/2.8.12
Product, Release Notes · security-advisories@github.com
https://github.com/neuron-core/neuron-ai/security/advisories/GHSA-898v-775g-777c
Mitigation, Vendor Advisory · security-advisories@github.com