Cyber Resilience

CVE-2025-59333

HighPublic PoC

Published: 16 September 2025

Published
16 September 2025
Modified
08 October 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0014 33.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59333 is a high-severity Improper Access Control (CWE-284) vulnerability in Executeautomation Mcp Database Server. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 33.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-59333 is a vulnerability in the mcp-database-server (MCP Server) version 1.1.0 and earlier, as distributed via the npm package @executeautomation/database-server. The issue arises from a failure to implement adequate security controls to properly enforce a "read-only" mode. This affects only the npm distribution; other distributions are not impacted. As a result, the server can be abused to attack connected database systems such as PostgreSQL and potentially others that expose elevated functionalities, mapped to CWE-284 (Improper Access Control) and NVD-CWE-Other.

Attackers with network access and low privileges (PR:L) can exploit this vulnerability with low complexity and no user interaction required. Exploitation enables high confidentiality impact (C:H), high availability impact (A:H) such as denial of service, and other unexpected behaviors on the affected database systems. The CVSS v3.1 base score is 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).

Mitigation guidance and further details are available in the GitHub security advisory at https://github.com/executeautomation/mcp-database-server/security/advisories/GHSA-65hm-pwj5-73pw.

EU & UK References

Vulnerability details

The mcp-database-server (MCP Server) 1.1.0 and earlier, as distributed via the npm package @executeautomation/database-server, fails to implement adequate security controls to properly enforce a "read-only" mode. This vulnerability affects only the npm distribution; other distributions are not impacted. As a…

more

result, the server is susceptible to abuse and attacks on affected database systems such as PostgreSQL, and potentially others that expose elevated functionalities. These attacks may lead to denial of service and other unexpected behaviors.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: mcp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Failure to enforce read-only mode allows abuse of the MCP server to perform unauthorized operations on backend databases (e.g., PostgreSQL), enabling application exploitation for endpoint denial of service (T1499.004) and stored data manipulation (T1565.001).

CVEs Like This One

CVE-2024-55963Shared CWE-284
CVE-2026-35245Shared CWE-284
CVE-2026-28974Shared CWE-284
CVE-2026-33062Shared CWE-284
CVE-2026-2592Shared CWE-284
CVE-2024-44303Shared CWE-284
CVE-2026-21694Shared CWE-284
CVE-2024-56889Shared CWE-284
CVE-2026-20736Shared CWE-284
CVE-2026-32752Shared CWE-284

Affected Assets

executeautomation
mcp database server
≤ 1.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the failure to implement adequate security controls enforcing read-only mode in the MCP server.

prevent

Enables timely identification, reporting, and remediation of the specific software flaw allowing abuse of database systems.

prevent

Limits privileges assigned to the MCP server processes connecting to databases like PostgreSQL, reducing impact of unenforced read-only mode.

References