CVE-2025-62611

NameCVE-2025-62611
Descriptionaiomysql is a library for accessing a MySQL database from the asyncio. Prior to version 0.3.0, the client-side settings are not checked before sending local files to MySQL server, which allows obtaining arbitrary files from the client using a rogue server. It is possible to create a rogue MySQL server that emulates authorization, ignores client flags and requests arbitrary files from the client by sending a LOAD_LOCAL instruction packet. This issue has been patched in version 0.3.0.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1118754

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
aiomysql (PTS)bullseye0.0.20-2vulnerable
forky, sid, bookworm, trixie0.1.1-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
aiomysqlsource(unstable)(unfixed)1118754

Notes

https://github.com/aio-libs/aiomysql/security/advisories/GHSA-r397-ff8c-wv2g
https://github.com/aio-libs/aiomysql/pull/1044
Fixed by: https://github.com/aio-libs/aiomysql/commit/32c4520dae3711367ded74a4726dcb8bb8919538 (v0.3.2)
Search for package or bug name: Reporting problems