A critical vulnerability in ProxySQL versions 2.0.0 through 3.0.8 allows unauthenticated attackers to bypass security rules and manipulate query routing by spoofing client IP addresses.

This is an input validation vulnerability where the application incorrectly parses PROXY protocol v1 headers. An unauthenticated attacker can supply a crafted PP1 frame to spoof their source IP, effectively bypassing ACLs and logic governing read-write splitting or administrative access.

The ability to bypass ACLs and query-routing logic presents a severe risk to data integrity and system availability. With a CVSS score of 10.0, this flaw could allow unauthorized users to execute administrative DDL commands or access restricted database schemas, potentially leading to total system compromise or significant data exfiltration.

Immediate Action: Upgrade all ProxySQL instances to version 3.0.9 or later to implement the corrected PROXY protocol parsing logic.

Proactive Monitoring: Inspect database access logs for anomalous client_addr entries that do not align with expected infrastructure traffic patterns.

Compensating Controls: Restrict network access to the ProxySQL frontend port to trusted IP ranges only, effectively limiting the surface area available to potential attackers.

Public Exploit Available: Unknown

Given the critical nature of this routing and ACL bypass, immediate action is required. Organizations utilizing ProxySQL for load balancing or query routing must prioritize patching to version 3.0.9 to prevent unauthorized access to sensitive database operations.