CVE-2025-62611

CVSS v4.0

8.2

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Name of the Vulnerable Software and Affected Versions aiomysql versions prior to 0.3.0

Description aiomysql does not properly validate client-side settings before transmitting local files to a MySQL server. This allows a malicious server to request arbitrary files from the client by sending a LOAD LOCAL instruction packet, effectively bypassing security measures. A rogue MySQL server can emulate authorization, ignore client flags, and steal files from the client. This issue impacts environments connecting to untrusted or compromised MySQL servers. A proof-of-concept demonstrates the ability to read files from the client machine using a rogue MySQL server and the aiomysql library, even when the

local infile

option is explicitly disabled on the client side. The rogue server logs successful file reads and saves the contents to a designated directory.

Recommendations Versions prior to 0.3.0 should be updated to version 0.3.0 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-73

Related Identifiers

CVE-2025-62611

GHSA-R397-FF8C-WV2G

Affected Products

Aiomysql

CVE-2025-62611

Weakness Enumeration

Related Identifiers

Affected Products

References · 11