Vulnerability Description
Neuron is a PHP framework for creating and orchestrating AI Agents. In versions 2.8.11 and below, the MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare() + execute() without semantic restrictions. This is consistent with the name (“write tool”), but in an LLM/agent context it becomes a high-risk capability: prompt injection or indirect prompt manipulation can cause execution of destructive queries such as DROP TABLE, TRUNCATE, DELETE, ALTER, or privilege-related statements (subject to DB permissions). Deployments that expose an agent with MySQLWriteTool enabled to untrusted input and/or run the tool with a DB user that has broad privileges are impacted. This issue is fixed in version 2.8.12.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Neuron-Ai | Neuron | < 2.8.12 |
Related Weaknesses (CWE)
References
- https://github.com/neuron-core/neuron-ai/commit/44bab85d92bf162898ee48d0bcef6ba0Patch
- https://github.com/neuron-core/neuron-ai/releases/tag/2.8.12ProductRelease Notes
- https://github.com/neuron-core/neuron-ai/security/advisories/GHSA-898v-775g-777cMitigationVendor Advisory
FAQ
What is CVE-2025-67510?
CVE-2025-67510 is a vulnerability with a CVSS score of 9.4 (CRITICAL). Neuron is a PHP framework for creating and orchestrating AI Agents. In versions 2.8.11 and below, the MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare() + execute() with...
How severe is CVE-2025-67510?
CVE-2025-67510 has been rated CRITICAL with a CVSS base score of 9.4/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-67510?
Check the references section above for vendor advisories and patch information. Affected products include: Neuron-Ai Neuron.