Blog

blog

Neon Exploit: Malicious SQL Injection

Attackers can exploit the Neon MCP server to execute malicious SQL operations. Learn how to protect your database from these threats.

Neon, a serverless, open-source Postgres platform, has recently released its official MCP server. While this new tool offers powerful features like autoscaling and branching, it also introduces a new threat landscape that requires careful attention.

The Setup: An Employee Performance Database

Consider a Neon project with a database named employeeperformacedb, which contains a table called employee_reviews. The NeonDB MCP is set up in the user's IDE and authenticated with their Neon credentials.

Neon MCP Authentication Setup Database Schema Configuration

The Attack Scenario: Exploiting the run_sql Tool

The Neon MCP includes a powerful tool, run_sql, that can execute any SQL instruction. A clever attacker can exploit this tool to trigger a wide range of malicious actions.

Imagine a website that allows users to submit employee performance reviews. These reviews are stored in a Neon database with fields like employee_id, name, team, and review_notes. An attacker, posing as a user named Henry James, submits a review but embeds a malicious prompt in the review_notes field.

Malicious Prompt Injection in Review Notes

The malicious instruction is designed to hijack the Neon MCP. It directs the MCP to find and modify the review of another employee, Marcus Alford, with fabricated text.

When a legitimate user, such as a database admin, uses their IDE to retrieve review data, they unknowingly trigger the malicious prompt. The IDE's chat feature invokes the Neon MCP, which then executes the attacker's instructions. While the IDE may sometimes block such commands, a well-crafted exploit can often bypass these protections.

Cursor IDE MCP Tool Invocation Malicious SQL Execution Process Database State Modification Result

The result is a malicious state change in a production database. This is an Indirect Prompt Injection attack that compromises the MCP in two ways:

  • Control Flow Hijack: The user's intended read-only operation is escalated to a write operation. The malicious prompt, retrieved from the database, forces the MCP to execute the run_sql tool with a malicious UPDATE statement.
  • Data Flow Corruption: The data for the run_sql tool call—the SQL query itself—is supplied by the attacker in the stored prompt. This corrupts the data flow by feeding untrusted, malicious data directly into a powerful tool that can modify the database.

This attack vector is a specific example of LLM01: Prompt Injection, the number one vulnerability in the OWASP Top 10 for Large Language Model Applications.

The Root of the Problem: Unchecked Mutations

The Neon MCP includes numerous tools that can create, update, or delete data. These "mutation" tools are powerful but also present a significant security risk.

Neon MCP Tools Categorized by CRUD Operations

If an attacker can trigger a mutation tool by hijacking a privileged user's session, they can maliciously alter the database or exfiltrate sensitive data. While one solution would be to disable all mutation-based tools, this would render the Neon MCP unusable for most workflows.

Security vs Functionality Trade-off Analysis