CVE-2025-62611
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-22

Last updated on: 2025-10-22

Assigner: GitHub, Inc.

Description
aiomysql is a library for accessing a MySQL database from the asyncio. Prior to version 0.3.0, the client-side settings are not checked before sending local files to MySQL server, which allows obtaining arbitrary files from the client using a rogue server. It is possible to create a rogue MySQL server that emulates authorization, ignores client flags and requests arbitrary files from the client by sending a LOAD_LOCAL instruction packet. This issue has been patched in version 0.3.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-22
Last Modified
2025-10-22
Generated
2026-06-16
AI Q&A
2025-10-22
EPSS Evaluated
2026-06-14
NVD
CVE-2025-62611
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
aio-libs aiomysql 0.2.0
aio-libs aiomysql 0.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive files from your client system to an attacker-controlled MySQL server. Since exploitation requires no privileges or user interaction and can be performed remotely over the network, an attacker can easily exfiltrate arbitrary files, potentially exposing confidential data, credentials, or other sensitive information stored on the client machine. [3, 1]

Executive Summary

This vulnerability in the aiomysql Python library allows a malicious MySQL server to trick the client into sending arbitrary local files. Before version 0.3.0, the client did not properly verify or restrict local file access requests from the server. A rogue server can emulate authorization, ignore client flags, and send LOAD_LOCAL instruction packets to retrieve files from the client system without permission. This flaw enables attackers controlling or impersonating a MySQL server to exfiltrate sensitive files from the client machine. [1, 3]

Detection Guidance

Detection involves monitoring for unusual LOAD_LOCAL instruction packets sent from your aiomysql client to MySQL servers, especially when connecting to untrusted or unknown servers. Since the vulnerability allows a rogue server to request arbitrary local files, you can inspect network traffic for unexpected LOAD_LOCAL commands or file transfer activity. Additionally, reviewing client logs for unexpected file access or transfers triggered by MySQL connections may help. Specific commands are not provided in the resources, but using network packet capture tools like tcpdump or Wireshark to filter MySQL protocol traffic and searching for LOAD_LOCAL packets can be effective. [1, 3]

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade the aiomysql library to version 0.3.0 or later, where the issue is patched. The fix requires explicitly enabling the local_infile parameter on the client side to allow local file loading, preventing unauthorized file access by rogue servers. Until upgrading, avoid connecting to untrusted MySQL servers and disable any local file loading features if possible. Applying the patch from Pull Request #1044 or equivalent security updates is recommended to enforce proper verification of LOAD_LOCAL requests. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62611. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart