AIKIDO-2025-10852
neuron-core/neuron-ai is vulnerable to SQL Injection
76
High Risk
This Affects:
neuron-core/neuron-aiTL;DR
Affected versions of this package are vulnerable to SQL injection. To mitigate unsafe SQL execution, additional restrictions were added to block dangerous statements. MySQLSelectTool now forbids the use of INTO, OUTFILE, DUMPFILE, and LOAD_FILE, preventing attackers from writing files or reading arbitrary server files. Similarly, MySQLWriteTool was updated to disallow high-risk statements such as DROP, CREATE, ALTER, GRANT, TRUNCATE, REPLACE, MERGE, CALL, EXECUTE, and DELETE, reducing the risk of destructive or privilege-escalating SQL operations when user-controlled input is present.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
neuron-core/neuron-ai is vulnerable to SQL Injection in versions 1.11.4 - 2.8.11.
How to fix this
Upgrade the neuron-core/neuron-ai library to the patch version.
Links
GitHub Release
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant