CVE-2025-59333
Published: 16 September 2025
Summary
CVE-2025-59333 is a high-severity Improper Access Control (CWE-284) vulnerability in Executeautomation Mcp Database Server. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 33.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-59333 is a vulnerability in the mcp-database-server (MCP Server) version 1.1.0 and earlier, as distributed via the npm package @executeautomation/database-server. The issue arises from a failure to implement adequate security controls to properly enforce a "read-only" mode. This affects only the npm distribution; other distributions are not impacted. As a result, the server can be abused to attack connected database systems such as PostgreSQL and potentially others that expose elevated functionalities, mapped to CWE-284 (Improper Access Control) and NVD-CWE-Other.
Attackers with network access and low privileges (PR:L) can exploit this vulnerability with low complexity and no user interaction required. Exploitation enables high confidentiality impact (C:H), high availability impact (A:H) such as denial of service, and other unexpected behaviors on the affected database systems. The CVSS v3.1 base score is 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).
Mitigation guidance and further details are available in the GitHub security advisory at https://github.com/executeautomation/mcp-database-server/security/advisories/GHSA-65hm-pwj5-73pw.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-29621
Vulnerability details
The mcp-database-server (MCP Server) 1.1.0 and earlier, as distributed via the npm package @executeautomation/database-server, fails to implement adequate security controls to properly enforce a "read-only" mode. This vulnerability affects only the npm distribution; other distributions are not impacted. As a…
more
result, the server is susceptible to abuse and attacks on affected database systems such as PostgreSQL, and potentially others that expose elevated functionalities. These attacks may lead to denial of service and other unexpected behaviors.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: mcp
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Failure to enforce read-only mode allows abuse of the MCP server to perform unauthorized operations on backend databases (e.g., PostgreSQL), enabling application exploitation for endpoint denial of service (T1499.004) and stored data manipulation (T1565.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the failure to implement adequate security controls enforcing read-only mode in the MCP server.
Enables timely identification, reporting, and remediation of the specific software flaw allowing abuse of database systems.
Limits privileges assigned to the MCP server processes connecting to databases like PostgreSQL, reducing impact of unenforced read-only mode.