Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit b5b5216ac156 · 2025-12-09T17:21:18.000Z
GHSA-898v-775g-777c GHSA-j8g6-5gqc-mq36 GHSA-jv3w-x3r3-g6rm GHSA-pvcv-q3q7-266g
diff --git a/advisories/github-reviewed/2025/12/GHSA-898v-775g-777c/GHSA-898v-775g-777c.json b/advisories/github-reviewed/2025/12/GHSA-898v-775g-777c/GHSA-898v-775g-777c.json
@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-898v-775g-777c",
+  "modified": "2025-12-09T17:19:42Z",
+  "published": "2025-12-09T17:19:42Z",
+  "aliases": [],
+  "summary": "Neuron MySQLWriteTool allows arbitrary/destructive SQL when exposed to untrusted prompts (agent “footgun”)",
+  "details": "### Impact\n\n`MySQLWriteTool` executes arbitrary SQL provided by the caller using `PDO::prepare()` + `execute()` without semantic restrictions.  \n\nThis is consistent with the name (“write tool”), but in an LLM/agent context it becomes a high-risk capability: prompt injection or indirect prompt manipulation can cause execution of destructive queries such as `DROP TABLE`, `TRUNCATE`, `DELETE`, `ALTER`, or privilege-related statements (subject to DB permissions).\n\n\n\n**Who is impacted:** Deployments that expose an agent with `MySQLWriteTool` enabled to untrusted input and/or run the tool with a DB user that has broad privileges.\n\n### Patches\n\n**Not patched in:** 2.8.11  \n\nRecommended improvements (even if keeping the tool intentionally powerful):\n\n- Provide a safer API that supports only constrained operations (e.g., `insertRecord`, `updateRecord`) with allowlisted tables/columns.\n\n- Add a policy/allowlist layer (e.g., allow only `INSERT`/`UPDATE` on selected tables; forbid `DROP/TRUNCATE/ALTER/GRANT`).\n\n- Add optional review workflow: log + require human approval for high-risk statements; or “dry-run” mode.\n\n- Document strongly that the tool must not be exposed to untrusted prompts without additional safeguards.\n\n\n\n### Workarounds\n\n- Do not enable `MySQLWriteTool` for public/untrusted agents.\n\n- Use a dedicated DB user with **least privilege**:\n\n  - no `DROP`, no `ALTER`, no `GRANT`, no access to sensitive tables unless necessary\n\n- Add an application-layer policy rejecting high-risk statements (`DROP`, `TRUNCATE`, `ALTER`, `GRANT`, `REVOKE`, `CREATE USER`, etc.).\n\n- Implement authorization gating for tool calls (RBAC, allow tool use only for trusted operators).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "neuron-core/neuron-ai"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.8.12"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2.8.11"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/neuron-core/neuron-ai/security/advisories/GHSA-898v-775g-777c"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/neuron-core/neuron-ai"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-250",
+      "CWE-284"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-09T17:19:42Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2025/12/GHSA-j8g6-5gqc-mq36/GHSA-j8g6-5gqc-mq36.json b/advisories/github-reviewed/2025/12/GHSA-j8g6-5gqc-mq36/GHSA-j8g6-5gqc-mq36.json
@@ -0,0 +1,58 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-j8g6-5gqc-mq36",
+  "modified": "2025-12-09T17:19:23Z",
+  "published": "2025-12-09T17:19:23Z",
+  "aliases": [],
+  "summary": "Neuron MySQLSelectTool “read-only” bypass via `SELECT ... INTO OUTFILE` (file write → potential RCE)",
+  "details": "### Impact\n\n`MySQLSelectTool` is intended to be a read-only SQL tool (e.g., for LLM agent querying). However, validation based on the first keyword (e.g., `SELECT`) and a forbidden-keyword list does not block file-writing constructs such as `INTO OUTFILE` / `INTO DUMPFILE`.  \n\nAs a result, an attacker who can influence the tool input (e.g., prompt injection through a public agent endpoint) may be able to write arbitrary content to files on the DB server.\n\nIf the MySQL/MariaDB account has the `FILE` privilege and server configuration permits writes to a useful location (e.g., a web-accessible directory), the impact can escalate to remote code execution on the application host (for example, by writing a PHP web shell).\n\n**Who is impacted:** Deployments that expose an agent using `MySQLSelectTool` to untrusted input and run with overly-permissive DB privileges/configuration.\n\n### Patches\n\n**Not patched in:** 2.8.11  \n\n**Fixed in:** 2.8.12\n\nRecommended fix direction:\n\n- Explicitly reject queries containing: `INTO`, `OUTFILE`, `DUMPFILE`, `LOAD_FILE`, and other file/IO-related functions/clauses.\n\n- Prefer AST-based validation (SQL parser) over keyword checks.\n\n- Constrain allowed tables/columns and disallow multi-statements.\n\n### Workarounds\n\nIf you cannot upgrade immediately:\n\n- Remove/disable `MySQLSelectTool` for any agent reachable from untrusted input.\n\n- Ensure DB account used by the tool **does not** have `FILE` privilege.\n\n- Ensure `secure_file_priv` is set to a directory that is **not** web-accessible (or restrict it tightly).\n\n- Add a defensive query filter at the application layer rejecting `INTO OUTFILE`, `INTO DUMPFILE`, `LOAD_FILE`, `;` (multi-statements), and suspicious comment patterns.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "neuron-core/neuron-ai"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.8.12"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2.8.11"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/neuron-core/neuron-ai/security/advisories/GHSA-j8g6-5gqc-mq36"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/neuron-core/neuron-ai"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-94"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-09T17:19:23Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2025/12/GHSA-jv3w-x3r3-g6rm/GHSA-jv3w-x3r3-g6rm.json b/advisories/github-reviewed/2025/12/GHSA-jv3w-x3r3-g6rm/GHSA-jv3w-x3r3-g6rm.json
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jv3w-x3r3-g6rm",
+  "modified": "2025-12-09T17:18:59Z",
+  "published": "2025-12-09T17:18:59Z",
+  "aliases": [
+    "CVE-2025-67499"
+  ],
+  "summary": "CNA Plugins Portmap nftables backend can intercept non-local traffic",
+  "details": "### Background\n\nThe CNI `portmap` plugin allows containers to emulate opening a host port, forwarding that traffic to the container. For example, if a host has the IP 198.51.100.42, a container may request that all packets to `198.51.100.42:53` be forwarded to the container's network.\n\n### Vulnerability\n\nWhen the `portmap` plugin is configured with the `nftables` backend, it inadvertently forwards all traffic with the same destination port as the host port, **ignoring the destination IP**. This includes traffic not intended for the node itself, i.e. traffic to containers hosted on the node.\n\nIn the given example above, traffic destined to port 53 but for a _separate container_ would still be captured and forwarded, even though it was not destined for the host.\n\n### Impact\n\nContainers (i.e. kubernetes pods) that request HostPort forwarding can intercept all traffic destined for that port. This requires that the `portmap` plugin be explicitly configured to use the `nftables` backend. (The `iptables` backend is the default.)\n\n### Patches\nThis is fixed as of CNI plugins v1.9.0\n\n### Workarounds\nConfigure the `portmap` plugin to use the `iptables` backend. It does not have this vulnerability.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/containernetworking/plugins"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.6.0"
+            },
+            {
+              "fixed": "1.9.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/containernetworking/plugins/security/advisories/GHSA-jv3w-x3r3-g6rm"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/containernetworking/plugins/commit/9b3772e1a7abf93cbb7c6526a28bc0d27b830e02"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/containernetworking/plugins"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-09T17:18:59Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2025/12/GHSA-pvcv-q3q7-266g/GHSA-pvcv-q3q7-266g.json b/advisories/github-reviewed/2025/12/GHSA-pvcv-q3q7-266g/GHSA-pvcv-q3q7-266g.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-pvcv-q3q7-266g",
+  "modified": "2025-12-09T17:19:10Z",
+  "published": "2025-12-09T17:19:10Z",
+  "aliases": [],
+  "summary": "Filament multi-factor authentication (app) recovery codes can be used multiple times",
+  "details": "### Summary\n\nA flaw in the handling of recovery codes for **app-based multi-factor authentication** allows the same recovery code to be reused indefinitely. This issue does **not** affect email-based MFA. It also only applies when recovery codes are enabled.\n\n### Impact\n\nIf an attacker gains access to both the user's password and their recovery codes, they can repeatedly complete MFA without the user's app-based second factor. This weakens the expected security of MFA by turning recovery codes into a static, long-term bypass method.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "filament/filament"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "4.0.0"
+            },
+            {
+              "fixed": "4.3.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/filamentphp/filament/security/advisories/GHSA-pvcv-q3q7-266g"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/filamentphp/filament/commit/87ff60ad9b6e16d4e14ee36a220b8917dd7b0815"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/filamentphp/filament"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-287",
+      "CWE-288"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-09T17:19:10Z",
+    "nvd_published_at": null
+  }
+}
