CVE-2025-59333 (GCVE-0-2025-59333)
Vulnerability from cvelistv5 – Published: 2025-09-16 14:18 – Updated: 2025-09-16 18:19
VLAI
Title
@executeautomation/database-server does not properly restrict access, bypassing a "read-only" mode
Summary
The mcp-database-server (MCP Server) 1.1.0 and earlier, as distributed via the npm package @executeautomation/database-server, fails to implement adequate security controls to properly enforce a "read-only" mode. This vulnerability affects only the npm distribution; other distributions are not impacted. As a result, the server is susceptible to abuse and attacks on affected database systems such as PostgreSQL, and potentially others that expose elevated functionalities. These attacks may lead to denial of service and other unexpected behaviors.
Severity
8.1 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/executeautomation/mcp-database… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| executeautomation | mcp-database-server |
Affected:
<= 1.1.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59333",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-16T18:19:03.723842Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T18:19:09.072Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/executeautomation/mcp-database-server/security/advisories/GHSA-65hm-pwj5-73pw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mcp-database-server",
"vendor": "executeautomation",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The mcp-database-server (MCP Server) 1.1.0 and earlier, as distributed via the npm package @executeautomation/database-server, fails to implement adequate security controls to properly enforce a \"read-only\" mode. This vulnerability affects only the npm distribution; other distributions are not impacted. As a result, the server is susceptible to abuse and attacks on affected database systems such as PostgreSQL, and potentially others that expose elevated functionalities. These attacks may lead to denial of service and other unexpected behaviors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T14:18:48.881Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/executeautomation/mcp-database-server/security/advisories/GHSA-65hm-pwj5-73pw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/executeautomation/mcp-database-server/security/advisories/GHSA-65hm-pwj5-73pw"
}
],
"source": {
"advisory": "GHSA-65hm-pwj5-73pw",
"discovery": "UNKNOWN"
},
"title": "@executeautomation/database-server does not properly restrict access, bypassing a \"read-only\" mode"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59333",
"datePublished": "2025-09-16T14:18:48.881Z",
"dateReserved": "2025-09-12T12:36:24.635Z",
"dateUpdated": "2025-09-16T18:19:09.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-59333",
"date": "2026-06-18",
"epss": "0.00363",
"percentile": "0.27978"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-59333\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-09-16T15:15:46.450\",\"lastModified\":\"2025-10-08T19:18:04.110\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The mcp-database-server (MCP Server) 1.1.0 and earlier, as distributed via the npm package @executeautomation/database-server, fails to implement adequate security controls to properly enforce a \\\"read-only\\\" mode. This vulnerability affects only the npm distribution; other distributions are not impacted. As a result, the server is susceptible to abuse and attacks on affected database systems such as PostgreSQL, and potentially others that expose elevated functionalities. These attacks may lead to denial of service and other unexpected behaviors.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:executeautomation:mcp_database_server:*:*:*:*:*:node.js:*:*\",\"versionEndIncluding\":\"1.1.0\",\"matchCriteriaId\":\"430FC751-43B7-485E-9F6A-433D176B2C5B\"}]}]}],\"references\":[{\"url\":\"https://github.com/executeautomation/mcp-database-server/security/advisories/GHSA-65hm-pwj5-73pw\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/executeautomation/mcp-database-server/security/advisories/GHSA-65hm-pwj5-73pw\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-59333\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-09-16T18:19:03.723842Z\"}}}], \"references\": [{\"url\": \"https://github.com/executeautomation/mcp-database-server/security/advisories/GHSA-65hm-pwj5-73pw\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-09-16T18:18:56.983Z\"}}], \"cna\": {\"title\": \"@executeautomation/database-server does not properly restrict access, bypassing a \\\"read-only\\\" mode\", \"source\": {\"advisory\": \"GHSA-65hm-pwj5-73pw\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"executeautomation\", \"product\": \"mcp-database-server\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 1.1.0\"}]}], \"references\": [{\"url\": \"https://github.com/executeautomation/mcp-database-server/security/advisories/GHSA-65hm-pwj5-73pw\", \"name\": \"https://github.com/executeautomation/mcp-database-server/security/advisories/GHSA-65hm-pwj5-73pw\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The mcp-database-server (MCP Server) 1.1.0 and earlier, as distributed via the npm package @executeautomation/database-server, fails to implement adequate security controls to properly enforce a \\\"read-only\\\" mode. This vulnerability affects only the npm distribution; other distributions are not impacted. As a result, the server is susceptible to abuse and attacks on affected database systems such as PostgreSQL, and potentially others that expose elevated functionalities. These attacks may lead to denial of service and other unexpected behaviors.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284: Improper Access Control\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-09-16T14:18:48.881Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-59333\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-09-16T18:19:09.072Z\", \"dateReserved\": \"2025-09-12T12:36:24.635Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-09-16T14:18:48.881Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
FKIE_CVE-2025-59333
Vulnerability from fkie_nvd - Published: 2025-09-16 15:15 - Updated: 2026-06-17 09:45
Severity
Summary
The mcp-database-server (MCP Server) 1.1.0 and earlier, as distributed via the npm package @executeautomation/database-server, fails to implement adequate security controls to properly enforce a "read-only" mode. This vulnerability affects only the npm distribution; other distributions are not impacted. As a result, the server is susceptible to abuse and attacks on affected database systems such as PostgreSQL, and potentially others that expose elevated functionalities. These attacks may lead to denial of service and other unexpected behaviors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| executeautomation | mcp_database_server | * |
{
"affected": [
{
"affectedData": [
{
"product": "mcp-database-server",
"vendor": "executeautomation",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.1.0"
}
]
}
],
"source": "security-advisories@github.com"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:executeautomation:mcp_database_server:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "430FC751-43B7-485E-9F6A-433D176B2C5B",
"versionEndIncluding": "1.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The mcp-database-server (MCP Server) 1.1.0 and earlier, as distributed via the npm package @executeautomation/database-server, fails to implement adequate security controls to properly enforce a \"read-only\" mode. This vulnerability affects only the npm distribution; other distributions are not impacted. As a result, the server is susceptible to abuse and attacks on affected database systems such as PostgreSQL, and potentially others that expose elevated functionalities. These attacks may lead to denial of service and other unexpected behaviors."
}
],
"id": "CVE-2025-59333",
"lastModified": "2026-06-17T09:45:55.497",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2025-59333",
"options": [
{
"exploitation": "poc"
},
{
"automatable": "no"
},
{
"technicalImpact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-16T18:19:03.723842Z",
"version": "2.0.3"
}
}
]
},
"published": "2025-09-16T15:15:46.450",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/executeautomation/mcp-database-server/security/advisories/GHSA-65hm-pwj5-73pw"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/executeautomation/mcp-database-server/security/advisories/GHSA-65hm-pwj5-73pw"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-65HM-PWJ5-73PW
Vulnerability from github – Published: 2025-09-16 19:31 – Updated: 2025-09-16 19:31
VLAI
Summary
@executeautomation/database-server does not properly restrict access, bypassing a "read-only" mode
Details
The MCP Server provided by ExecuteAutomation at https://github.com/executeautomation/mcp-database-server provides an MCP interface for agentic workflows to interact with different kinds of database servers such as PostgreSQL database. However, the mcp-database-server MCP Server distributed via the npm package @executeautomation/database-server fails to implement proper security control that properly enforce a "read-only" mode and as such it is vulnerable to abuse and attacks on the affected database servers such as PostgreSQL (and potentially other db servers that expose elevated functionalities) and which may result in denial of service and other unexpected behavior.
This MCP Server is also publicly published in the npm registry: https://www.npmjs.com/package/@executeautomation/database-server
Vulnerable code
The vulnerable code to SQL injection takes shape in several ways:
- startsWith("SELECT") can include multiple queries because the pg driver for the client.query() supports multi queries if terminated with a ;
- startsWith("SELECT") can include denial of service queries for stored procedures and other internal db functions
The tool call here in index.ts is vulnerable:
// Handle tool calls
server.setRequestHandler(CallToolRequestSchema, async (request) => {
switch (request.params.name) {
case "read_query": {
const query = request.params.arguments?.query as string;
if (!query.trim().toLowerCase().startsWith("select")) {
throw new Error("Only SELECT queries are allowed with read_query");
}
try {
const result = await dbAll(query);
return {
content: [{ type: "text", text: JSON.stringify(result, null, 2) }],
isError: false,
};
} catch (error: any) {
throw new Error(`SQL Error: ${error.message}`);
}
}
The MCP Server exposes the tool read_query with a naive attempt to guard for exclusive "read-only" mode that allows only data retrieval from the server by performing a check on the provided query string to ensure that it starts with a "SELECT" query.
In short, the code check startWith("select") is not an adequate security control to strict for read-only mode queries and can be abused for side-effects and database-level operations.
Exploitation
While allowing only SELECT type queries might seem like a good defense to allow only data retrieval and not data manipulation in any way (hence, "read-only" mode), it is a non-suficient way of protecting against database servers that expose extra functionality through internal function calls.
Several examples that will allow side effects through SELECT queries:
1. Stored procedures: SELECT some_function_that_updates_data();
2. Internal database administrative operations: SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE ...;
Even when the database is known not to have any stored procedures defined, an attacker can still cause significant availability and service disruption by executing pg_terminate_backend().
Following is a reproduction:
- Simulate a long-running query, for example:
query = "SELECT pg_sleep(5 * 60)" - Now, from the MCP programmatic interface, execute the following query
SELECT pid, usename, state, query FROM pg_stat_activity;to get the PID for the long running query - Next, use the same MCP interface to then request to run the following query:
SELECT pg_terminate_backend(PID);and observe the long running query is now terminated
Similar database side-effects may be found in MySQL or SQLite.
Impact
The above exploitation surfaces two significant security risks: a denial of service that affects availability and confidentiality dislcosure that allows users unauthorized access to queries running on the server and potential leak of data.
Recommendation
- Don't rely solely on the "starts with"
SELECT - Strict access to specific tables that the user is only authorized to query for
- Do not allow multiple SQL queries to be chained together like
SELECT * ...; INSERT INTO ... - Require users that adopt this MCP Server to use fine-grained permissions on the database server with strict and explicit access to specific capabilities on the server.
CVE Details
Recommended CWE: CWE-284: Improper Access Control Recommendec CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
References and Prior work
- GitHub Kanban MCP Server found vulnerable to command injection.
- iOS Simulator MCP Server found vulnerable to command injection.
- Liran's Node.js Secure Coding for educational materials on injection attacks and secure coding practices.
- How to Bypass Access Control in PostgreSQL in Simple PSQL MCP Server for SQL Injection
- Reference example from prior security research on this topic, demonstrating how vulnerable MCP Server connected to Cursor is abused with prompt injection to bypass the developer's intended logic:
Credit
Disclosed by Liran Tal
Severity
8.1 (High)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@executeautomation/database-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-59333"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-16T19:31:56Z",
"nvd_published_at": "2025-09-16T15:15:46Z",
"severity": "HIGH"
},
"details": "The MCP Server provided by ExecuteAutomation at https://github.com/executeautomation/mcp-database-server provides an MCP interface for agentic workflows to interact with different kinds of database servers such as PostgreSQL database. However, the `mcp-database-server` MCP Server distributed via the npm package `@executeautomation/database-server` fails to implement proper security control that properly enforce a \"read-only\" mode and as such it is vulnerable to abuse and attacks on the affected database servers such as PostgreSQL (and potentially other db servers that expose elevated functionalities) and which may result in denial of service and other unexpected behavior.\n\nThis MCP Server is also publicly published in the npm registry: https://www.npmjs.com/package/@executeautomation/database-server\n\n## Vulnerable code\n\nThe vulnerable code to SQL injection takes shape in several ways:\n- `startsWith(\"SELECT\")` can include multiple queries because the pg driver for the `client.query()` supports multi queries if terminated with a `;`\n- `startsWith(\"SELECT\")` can include denial of service queries for stored procedures and other internal db functions\n\nThe tool call [here in index.ts](https://github.com/executeautomation/mcp-database-server/blob/d6afa4be08eb05343195635fa9462746a6be3a59/index.ts#L272C1-L291C6) is vulnerable:\n\n```\n// Handle tool calls\nserver.setRequestHandler(CallToolRequestSchema, async (request) =\u003e {\n switch (request.params.name) {\n case \"read_query\": {\n const query = request.params.arguments?.query as string;\n \n if (!query.trim().toLowerCase().startsWith(\"select\")) {\n throw new Error(\"Only SELECT queries are allowed with read_query\");\n }\n\n try {\n const result = await dbAll(query);\n return {\n content: [{ type: \"text\", text: JSON.stringify(result, null, 2) }],\n isError: false,\n };\n } catch (error: any) {\n throw new Error(`SQL Error: ${error.message}`);\n }\n }\n```\n\nThe MCP Server exposes the tool `read_query` with a naive attempt to guard for exclusive \"read-only\" mode that allows only data retrieval from the server by performing a check on the provided query string to ensure that it starts with a \"SELECT\" query.\n\nIn short, the code check `startWith(\"select\")` is not an adequate security control to strict for read-only mode queries and can be abused for side-effects and database-level operations.\n\n## Exploitation\n\nWhile allowing only `SELECT` type queries might seem like a good defense to allow only data retrieval and not data manipulation in any way (hence, \"read-only\" mode), it is a non-suficient way of protecting against database servers that expose extra functionality through internal function calls.\n\nSeveral examples that will allow side effects through `SELECT` queries:\n1. Stored procedures: `SELECT some_function_that_updates_data();`\n2. Internal database administrative operations: `SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE ...;`\n\nEven when the database is known not to have any stored procedures defined, an attacker can still cause significant availability and service disruption by executing `pg_terminate_backend()`.\n\nFollowing is a reproduction:\n\n- Simulate a long-running query, for example: `query = \"SELECT pg_sleep(5 * 60)\"`\n- Now, from the MCP programmatic interface, execute the following query `SELECT pid, usename, state, query FROM pg_stat_activity;` to get the PID for the long running query\n- Next, use the same MCP interface to then request to run the following query: `SELECT pg_terminate_backend(PID);` and observe the long running query is now terminated\n\nSimilar database side-effects may be found in MySQL or SQLite.\n\n## Impact\n\nThe above exploitation surfaces two significant security risks: a denial of service that affects availability and confidentiality dislcosure that allows users unauthorized access to queries running on the server and potential leak of data.\n\n## Recommendation\n\n- Don\u0027t rely solely on the \"starts with\" `SELECT`\n- Strict access to specific tables that the user is only authorized to query for\n- Do not allow multiple SQL queries to be chained together like `SELECT * ...; INSERT INTO ...`\n- Require users that adopt this MCP Server to use fine-grained permissions on the database server with strict and explicit access to specific capabilities on the server.\n\n## CVE Details\n\nRecommended CWE: CWE-284: Improper Access Control\nRecommendec CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\n\n## References and Prior work\n\n1. GitHub Kanban MCP Server found [vulnerable to command injection](https://github.com/advisories/GHSA-6jx8-rcjx-vmwf).\n2. iOS Simulator MCP Server found [vulnerable to command injection](https://github.com/advisories/GHSA-6f6r-m9pv-67jw).\n3. Liran\u0027s [Node.js Secure Coding](https://www.nodejs-security.com/book/command-injection) for educational materials on injection attacks and secure coding practices.\n4. [How to Bypass Access Control in PostgreSQL in Simple PSQL MCP Server for SQL Injection](https://www.nodejs-security.com/blog/how-to-bypass-access-control-in-postgresql-in-simple-psql-mcp-server-for-sql-injection)\n5. Reference example from prior security research on this topic, demonstrating how vulnerable MCP Server connected to Cursor is abused with prompt injection to bypass the developer\u0027s intended logic:\n\n\n\n## Credit\n\nDisclosed by [Liran Tal](https://lirantal.com)",
"id": "GHSA-65hm-pwj5-73pw",
"modified": "2025-09-16T19:31:56Z",
"published": "2025-09-16T19:31:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/executeautomation/mcp-database-server/security/advisories/GHSA-65hm-pwj5-73pw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59333"
},
{
"type": "PACKAGE",
"url": "https://github.com/executeautomation/mcp-database-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "@executeautomation/database-server does not properly restrict access, bypassing a \"read-only\" mode"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…