CVE-2025-62611

NameCVE-2025-62611
Descriptionaiomysql is a library for accessing a MySQL database from the asyncio. Prior to version 0.3.0, the client-side settings are not checked before sending local files to MySQL server, which allows obtaining arbitrary files from the client using a rogue server. It is possible to create a rogue MySQL server that emulates authorization, ignores client flags and requests arbitrary files from the client by sending a LOAD_LOCAL instruction packet. This issue has been patched in version 0.3.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1118754

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
aiomysql (PTS)bullseye0.0.20-2vulnerable
bookworm, trixie0.1.1-2vulnerable
forky, sid0.3.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
aiomysqlsource(unstable)0.3.2-11118754

Notes

[trixie] - aiomysql <no-dsa> (Minor issue)
[bookworm] - aiomysql <no-dsa> (Minor issue)
[bullseye] - aiomysql <postponed> (Minor issue)
https://github.com/aio-libs/aiomysql/security/advisories/GHSA-r397-ff8c-wv2g
https://github.com/aio-libs/aiomysql/pull/1044
Fixed by: https://github.com/aio-libs/aiomysql/commit/32c4520dae3711367ded74a4726dcb8bb8919538 (v0.3.2)
Search for package or bug name: Reporting problems