CVE-2025-30224 is a medium severity vulnerability affecting mydumper, a MySQL logical backup tool. The root cause lies in the underlying MySQL C client library (libmysqlclient), which mydumper uses. This library allows authenticated remote actors to read arbitrary files from client systems by exploiting a crafted server response to a LOAD LOCAL INFILE query. The LOAD LOCAL INFILE command is intended to load data from a local file into the MySQL server, but in this case, the server can manipulate the response to trick the client into reading arbitrary files. Mydumper has the local infile option enabled by default and lacks an option to disable it, which means that when mydumper connects to an untrusted or malicious MySQL server, it can inadvertently disclose sensitive files from the client system. This vulnerability does not require prior authentication or privileges on the client side, but it does require user interaction in the form of establishing a connection to a malicious server. The vulnerability is fixed in mydumper version 0.18.2-8. The CVSS 4.0 base score is 5.1 (medium), reflecting network attack vector, low complexity, no privileges required, but user interaction needed and limited confidentiality impact. The vulnerability is categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). No known exploits are currently reported in the wild. The issue primarily affects users who run mydumper versions prior to 0.18.2-8 and connect to untrusted MySQL servers without disabling local infile capability, which is not possible in affected versions. This can lead to arbitrary file disclosure on the client system, potentially exposing sensitive configuration files, credentials, or other private data stored on the client machine.

For European organizations, this vulnerability poses a risk primarily to database administrators and backup operators who use mydumper to perform logical backups of MySQL databases. If these users connect to untrusted or compromised MySQL servers—such as during cross-organization data transfers, third-party integrations, or cloud environments where server trust boundaries are less clear—attackers could exploit this flaw to read sensitive files on the client machines running mydumper. This could lead to exposure of credentials, configuration files, or other confidential information, potentially facilitating further attacks such as lateral movement or privilege escalation. The impact is particularly relevant for organizations with strict data protection requirements under GDPR, as unauthorized disclosure of personal or sensitive data could lead to regulatory penalties and reputational damage. However, the vulnerability requires user interaction (connecting to a malicious server) and does not allow remote code execution or denial of service, limiting its severity. Organizations relying heavily on mydumper for backups, especially in multi-tenant or hybrid cloud environments, are at higher risk. The absence of an option to disable local infile in affected versions increases exposure, making timely patching critical.

1. Upgrade mydumper to version 0.18.2-8 or later, where the vulnerability is fixed and the local infile option can be disabled. 2. Until upgrading, avoid connecting mydumper clients to untrusted or unknown MySQL servers. 3. Implement network segmentation and firewall rules to restrict mydumper client connections only to trusted MySQL servers. 4. Monitor and audit database backup operations to detect unusual connections or data transfers. 5. If upgrading is not immediately possible, consider using alternative backup tools that do not enable local infile by default or allow disabling it. 6. Educate database administrators and backup operators about the risks of connecting to untrusted servers and the importance of verifying server authenticity. 7. Employ host-based intrusion detection systems to monitor for suspicious file access patterns that could indicate exploitation attempts. 8. Review and minimize the sensitive data stored on client systems running mydumper to reduce potential exposure.