Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
MySQLWriteTool allows arbitrary/destructive SQL when exposed to untrusted prompts (agent “footgun”)
Vulnerability Description
Neuron is a PHP framework for creating and orchestrating AI Agents. In versions 2.8.11 and below, the MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare() + execute() without semantic restrictions. This is consistent with the name (“write tool”), but in an LLM/agent context it becomes a high-risk capability: prompt injection or indirect prompt manipulation can cause execution of destructive queries such as DROP TABLE, TRUNCATE, DELETE, ALTER, or privilege-related statements (subject to DB permissions). Deployments that expose an agent with MySQLWriteTool enabled to untrusted input and/or run the tool with a DB user that has broad privileges are impacted. This issue is fixed in version 2.8.12.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
Vulnerability Type
带着不必要的权限执行
Vulnerability Title
Neuron 访问控制错误漏洞
Vulnerability Description
Neuron是EMQ开源的一款工业物联网(IIoT)连接服务器。用于现代大数据和 AI/ML 技术,以利用工业 4.0 的力量。 Neuron 2.8.11及之前版本存在访问控制错误漏洞,该漏洞源于MySQLWriteTool执行任意SQL时缺乏语义限制,可能导致执行破坏性查询。
CVSS Information
N/A
Vulnerability Type
N/A