Mysql Mcp Server
Monthly
SQL injection in designcomputer mysql-mcp-server (versions up to 0.2.2) allows authenticated remote attackers to execute arbitrary SQL via a crafted mysql:// URI passed to the read_resource function in server.py. The vulnerability stems from insufficient validation of the table-name segment in mysql://database/<name> URIs before interpolation into MySQL queries. A publicly available proof-of-concept exploit exists (GitHub issue #89); the issue is not listed in CISA KEV, indicating no confirmed widespread active exploitation at time of analysis. An official fix was released as v0.3.0 (also backported to v0.2.3).
SQL injection in designcomputer mysql-mcp-server (versions up to 0.2.2) allows authenticated remote attackers to execute arbitrary SQL via a crafted mysql:// URI passed to the read_resource function in server.py. The vulnerability stems from insufficient validation of the table-name segment in mysql://database/<name> URIs before interpolation into MySQL queries. A publicly available proof-of-concept exploit exists (GitHub issue #89); the issue is not listed in CISA KEV, indicating no confirmed widespread active exploitation at time of analysis. An official fix was released as v0.3.0 (also backported to v0.2.3).