GHSA-898v-775g-777c

Описание

Impact

MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare() + execute() without semantic restrictions.

This is consistent with the name (“write tool”), but in an LLM/agent context it becomes a high-risk capability: prompt injection or indirect prompt manipulation can cause execution of destructive queries such as DROP TABLE, TRUNCATE, DELETE, ALTER, or privilege-related statements (subject to DB permissions).

Who is impacted: Deployments that expose an agent with MySQLWriteTool enabled to untrusted input and/or run the tool with a DB user that has broad privileges.

Patches

Not patched in: 2.8.11

Recommended improvements (even if keeping the tool intentionally powerful):

• Provide a safer API that supports only constrained operations (e.g., insertRecord, updateRecord) with allowlisted tables/columns.

• Add a policy/allowlist layer (e.g., allow only INSERT/UPDATE on selected tables; forbid DROP/TRUNCATE/ALTER/GRANT).

• Add optional review workflow: log + require human approval for high-risk statements; or “dry-run” mode.

• Document strongly that the tool must not be exposed to untrusted prompts without additional safeguards.

Workarounds

• Do not enable MySQLWriteTool for public/untrusted agents.

• Use a dedicated DB user with least privilege:

  • no DROP, no ALTER, no GRANT, no access to sensitive tables unless necessary

• Add an application-layer policy rejecting high-risk statements (DROP, TRUNCATE, ALTER, GRANT, REVOKE, CREATE USER, etc.).

• Implement authorization gating for tool calls (RBAC, allow tool use only for trusted operators).