CVE-2025-62611 is a vulnerability classified under CWE-73 (External Control of File Name or Path) affecting the aio-libs aiomysql library, a Python asynchronous MySQL client. Versions prior to 0.3.0 do not properly validate client-side settings before sending local files to the MySQL server. This flaw enables a malicious or rogue MySQL server to bypass client authorization and flag checks, then issue a LOAD_LOCAL instruction packet to the client. This instruction causes the client to send arbitrary local files to the server, potentially exposing sensitive data stored on the client machine. The vulnerability is exploitable remotely without requiring authentication or user interaction, making it a significant risk in environments where clients connect to untrusted or compromised MySQL servers. The issue was addressed and patched in aiomysql version 0.3.0 by implementing proper client-side validation and controls to prevent unauthorized file transfers. Although no active exploits have been reported, the high CVSS 4.0 score of 8.2 reflects the ease of exploitation and the high confidentiality impact. Organizations using asynchronous Python applications with aiomysql to connect to MySQL databases should prioritize upgrading and review their network trust boundaries to mitigate potential attacks.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive files from client systems to a rogue MySQL server. For European organizations, this could lead to exposure of confidential business data, intellectual property, or personally identifiable information (PII), potentially violating GDPR and other data protection regulations. The vulnerability could be exploited by attackers who control or impersonate MySQL servers, including in supply chain attacks or compromised internal database servers. This risk is heightened in sectors with extensive use of Python asynchronous frameworks and MySQL backends, such as finance, healthcare, and technology. The breach of confidentiality could result in reputational damage, regulatory fines, and operational disruptions. Since exploitation does not require authentication or user interaction, the attack surface is broad, especially in environments where clients connect to multiple or external MySQL servers. Availability and integrity impacts are minimal, but the confidentiality breach alone justifies urgent remediation.

1. Upgrade all instances of aiomysql to version 0.3.0 or later, where the vulnerability is patched. 2. Implement strict network segmentation and firewall rules to restrict client connections only to trusted MySQL servers, preventing rogue server interactions. 3. Employ application-layer validation and monitoring to detect unusual LOAD_LOCAL commands or unexpected file transfers. 4. Review and minimize the use of LOAD_LOCAL capability in MySQL client configurations where possible. 5. Conduct security audits of asynchronous Python applications to identify usage of vulnerable aiomysql versions. 6. Educate developers and DevOps teams about the risks of connecting to untrusted database servers and enforce secure coding practices. 7. Monitor threat intelligence feeds for any emerging exploits targeting this vulnerability to respond promptly.