Summary
The MCP Server provided by ExecuteAutomation at https://github.com/executeautomation/mcp-database-server provides an MCP interface for agentic workflows to interact with different kinds of database servers such as PostgreSQL database. However, the mcp-database-server MCP Server distributed via the npm package @executeautomation/database-server fails to implement proper security control that properly enforce a "read-only" mode and as such it is vulnerable to abuse and attacks on the affected database servers such as PostgreSQL (and potentially other db servers that expose elevated functionalities) and which may result in denial of service and other unexpected behavior.
This MCP Server is also publicly published in the npm registry: https://www.npmjs.com/package/@executeautomation/database-server
Vulnerable code
The vulnerable code to SQL injection takes shape in several ways:
startsWith("SELECT")can include multiple queries because the pg driver for theclient.query()supports multi queries if terminated with a;startsWith("SELECT")can include denial of service queries for stored procedures and other internal db functions
The tool call here in index.ts is vulnerable:
// Handle tool calls
server.setRequestHandler(CallToolRequestSchema, async (request) => {
switch (request.params.name) {
case "read_query": {
const query = request.params.arguments?.query as string;
if (!query.trim().toLowerCase().startsWith("select")) {
throw new Error("Only SELECT queries are allowed with read_query");
}
try {
const result = await dbAll(query);
return {
content: [{ type: "text", text: JSON.stringify(result, null, 2) }],
isError: false,
};
} catch (error: any) {
throw new Error(`SQL Error: ${error.message}`);
}
}
The MCP Server exposes the tool read_query with a naive attempt to guard for exclusive "read-only" mode that allows only data retrieval from the server by performing a check on the provided query string to ensure that it starts with a "SELECT" query.
In short, the code check startWith("select") is not an adequate security control to strict for read-only mode queries and can be abused for side-effects and database-level operations.
Exploitation
While allowing only SELECT type queries might seem like a good defense to allow only data retrieval and not data manipulation in any way (hence, "read-only" mode), it is a non-suficient way of protecting against database servers that expose extra functionality through internal function calls.
Several examples that will allow side effects through SELECT queries:
- Stored procedures:
SELECT some_function_that_updates_data(); - Internal database administrative operations:
SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE ...;
Even when the database is known not to have any stored procedures defined, an attacker can still cause significant availability and service disruption by executing pg_terminate_backend().
Following is a reproduction:
- Simulate a long-running query, for example:
query = "SELECT pg_sleep(5 * 60)" - Now, from the MCP programmatic interface, execute the following query
SELECT pid, usename, state, query FROM pg_stat_activity;to get the PID for the long running query - Next, use the same MCP interface to then request to run the following query:
SELECT pg_terminate_backend(PID);and observe the long running query is now terminated
Similar database side-effects may be found in MySQL or SQLite.
CVE Details
Recommended CWE: CWE-284: Improper Access Control
Recommendec CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
References and Prior work
- GitHub Kanban MCP Server found vulnerable to command injection.
- iOS Simulator MCP Server found vulnerable to command injection.
- Liran's Node.js Secure Coding for educational materials on injection attacks and secure coding practices.
- How to Bypass Access Control in PostgreSQL in Simple PSQL MCP Server for SQL Injection
- Reference example from prior security research on this topic, demonstrating how vulnerable MCP Server connected to Cursor is abused with prompt injection to bypass the developer's intended logic:
Credit
Disclosed by Liran Tal
Impact
The above exploitation surfaces two significant security risks: a denial of service that affects availability and confidentiality dislcosure that allows users unauthorized access to queries running on the server and potential leak of data.
CVE-2025-59333 has a CVSS score of 8.1 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
- Don't rely solely on the "starts with"
SELECT - Strict access to specific tables that the user is only authorized to query for
- Do not allow multiple SQL queries to be chained together like
SELECT * ...; INSERT INTO ... - Require users that adopt this MCP Server to use fine-grained permissions on the database server with strict and explicit access to specific capabilities on the server.
Frequently Asked Questions
- What is CVE-2025-59333? CVE-2025-59333 is a high-severity security vulnerability in @executeautomation/database-server (npm), affecting versions <= 1.1.0. No fixed version is listed yet.
- How severe is CVE-2025-59333? CVE-2025-59333 has a CVSS score of 8.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of @executeautomation/database-server are affected by CVE-2025-59333? @executeautomation/database-server (npm) versions <= 1.1.0 is affected.
- Is there a fix for CVE-2025-59333? No fixed version is listed for CVE-2025-59333 yet. Monitor the advisory for updates and apply mitigations in the interim.
- Is CVE-2025-59333 exploitable, and should I be worried? Whether CVE-2025-59333 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2025-59333 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.