CVE-2025-67509 is a code injection vulnerability classified under CWE-94 affecting the neuron-ai PHP framework, specifically versions 2.8.11 and below. The issue lies in the MySQLSelectTool component, designed to perform read-only SQL queries for AI agents, such as large language model (LLM) querying. The tool attempts to restrict queries by validating the first SQL keyword (e.g., SELECT) and filtering forbidden keywords. However, this validation is insufficient as it does not block SQL clauses that enable writing files to the database server's filesystem, such as INTO OUTFILE or INTO DUMPFILE. If an attacker can manipulate the input to this tool—potentially through prompt injection attacks on publicly exposed AI agent endpoints—they can craft queries that write arbitrary files to locations on the database server. This is contingent on the MySQL or MariaDB account having the FILE privilege and the server configuration permitting writes to directories accessible by the attacker, such as web server directories. The ability to write arbitrary files can lead to code injection, enabling attackers to implant malicious scripts or backdoors, thereby compromising system integrity. The vulnerability does not require authentication or user interaction, making it remotely exploitable over the network. The CVSS v3.1 score is 8.2 (high severity), reflecting low attack complexity, no privileges required, and significant impact on integrity. The issue was fixed in neuron-ai version 2.8.12 by improving input validation and blocking file-writing SQL constructs. No public exploits have been reported yet, but the vulnerability poses a serious risk to deployments of neuron-ai in production environments.

For European organizations, this vulnerability presents a significant risk, especially those leveraging neuron-ai for AI agent orchestration with MySQL or MariaDB backends. Successful exploitation can allow attackers to write arbitrary files to the database server, potentially leading to remote code execution if the files are placed in web-accessible directories. This compromises system integrity and could facilitate further lateral movement or data exfiltration. Confidentiality impact is limited since the vulnerability does not directly expose data, but integrity breaches can undermine trust in AI-driven decision-making processes. Availability is not directly affected, but secondary impacts such as system instability or cleanup efforts could cause downtime. Organizations in sectors with high AI adoption—such as finance, healthcare, and technology—are particularly at risk. Additionally, the lack of authentication or user interaction requirements increases the threat surface. Given the growing use of AI frameworks in Europe, unpatched systems could become targets for attackers aiming to implant malicious code or disrupt AI services.

European organizations should immediately upgrade neuron-ai to version 2.8.12 or later, where the vulnerability is patched. Until upgrade is possible, restrict access to AI agent endpoints that use MySQLSelectTool to trusted users and networks to reduce exposure. Review and minimize FILE privileges granted to MySQL/MariaDB accounts used by neuron-ai, as this privilege is critical for exploitation. Harden database server configurations to disallow writing files to web-accessible or sensitive directories. Implement input validation and sanitization at the application layer to detect and block suspicious SQL constructs, especially those involving file writes. Monitor logs for unusual SQL queries containing INTO OUTFILE or similar clauses. Employ web application firewalls (WAFs) with custom rules to detect and block exploitation attempts. Conduct regular security audits of AI orchestration frameworks and database permissions. Finally, educate development and security teams about prompt injection risks and secure coding practices for AI tools.