aiomysql is a library for accessing a MySQL database from the asyncio. Prior to version 0.3.0, the client-side settings are not checked before sending local files to MySQL server, which allows obtaining arbitrary files from the client using a rogue server. It is possible to create a rogue MySQL server that emulates authorization, ignores client flags and requests arbitrary files from the client by sending a LOAD_LOCAL instruction packet. This issue has been patched in version 0.3.0.
Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r397-ff8c-wv2g aiomysql allows arbitrary access to client files through vulnerability of a malicious MySQL server
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 22 Oct 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 22 Oct 2025 19:45:00 +0000

Type Values Removed Values Added
Description aiomysql is a library for accessing a MySQL database from the asyncio. Prior to version 0.3.0, the client-side settings are not checked before sending local files to MySQL server, which allows obtaining arbitrary files from the client using a rogue server. It is possible to create a rogue MySQL server that emulates authorization, ignores client flags and requests arbitrary files from the client by sending a LOAD_LOCAL instruction packet. This issue has been patched in version 0.3.0.
Title aiomysql allows arbitrary access to client files through vulnerability of a malicious MySQL server
Weaknesses CWE-73
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2025-10-22T19:44:02.865Z

Reserved: 2025-10-16T19:24:37.268Z

Link: CVE-2025-62611

cve-icon Vulnrichment

Updated: 2025-10-22T19:43:54.987Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-10-22T20:15:38.363

Modified: 2025-10-22T21:12:32.330

Link: CVE-2025-62611

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.