Arbitrary SQL Execution Vulnerability in Neuron PHP Framework by Neuron Core
CVE-2025-67510

9.4CRITICAL

Key Information:

Vendor

Neuron-core

Status
Neuron-ai
Vendor
CVE Published:
10 December 2025

What is CVE-2025-67510?

The Neuron PHP framework, utilized for creating and managing AI agents, is susceptible to an arbitrary SQL execution vulnerability in versions 2.8.11 and earlier. The MySQLWriteTool component enables execution of SQL commands from external inputs without sufficient restrictions. This exposes the application to significant risks, allowing attackers to manipulate prompt inputs, potentially leading to the execution of destructive operations such as DROP TABLE, DELETE, and permissions-related commands. It is crucial for deployments that utilize this functionality to ensure that the tool is not exposed to untrusted inputs and that database accounts with broad privileges are not used. A fix has been implemented in version 2.8.12.

Affected Version(s)

neuron-ai < 2.8.12

References

https://github.com/neuron-core/neuron-ai/security/advisor...
x_refsource_CONFIRM
https://github.com/neuron-core/neuron-ai/commit/44bab85d9...
x_refsource_MISC
https://github.com/neuron-core/neuron-ai/commit/ea49f8c4f...
x_refsource_MISC

CVSS V3.1

Score:
9.4
Severity:
CRITICAL
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-67510 : Arbitrary SQL Execution Vulnerability in Neuron PHP Framework by Neuron Core