CVE-2025-62611

Name of the Vulnerable Software and Affected Versions aiomysql versions prior to 0.3.0

Description aiomysql does not properly validate client-side settings before transmitting local files to a MySQL server. This allows a malicious server to request arbitrary files from the client by sending a LOAD LOCAL instruction packet, effectively bypassing security measures. A rogue MySQL server can emulate authorization, ignore client flags, and steal files from the client. This issue impacts environments connecting to untrusted or compromised MySQL servers. A proof-of-concept demonstrates the ability to read files from the client machine using a rogue MySQL server and the aiomysql library, even when the local infile option is explicitly disabled on the client side. The rogue server logs successful file reads and saves the contents to a designated directory.

Recommendations Versions prior to 0.3.0 should be updated to version 0.3.0 or later.