FuzzySQL: Uncovering Hidden Vulnerabilities in DBMS Special Features with LLM-Driven Fuzzing

• URL: http://arxiv.org/abs/2602.19490v1
• Date: Mon, 23 Feb 2026 04:20:19 GMT
• Title: FuzzySQL: Uncovering Hidden Vulnerabilities in DBMS Special Features with LLM-Driven Fuzzing
• Authors: Yongxin Chen, Zhiyuan Jiang, Chao Zhang, Haoran Xu, Shenglin Xu, Jianping Tang, Zheming Li, Peidai Xie, Yongjun Wang,
• Abstract summary: Fuzzy unifies rule-based patching with semantic repair to correct syntactic and context-sensitive failures.<n>We uncover 37 vulnerabilities, 7 of which are tied to under-tested special features.<n>Our results highlight the limitations of conventional fuzzers in semantic feature coverage.
• Score: 37.235342117305684
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Traditional database fuzzing techniques primarily focus on syntactic correctness and general SQL structures, leaving critical yet obscure DBMS features, such as system-level modes (e.g., GTID), programmatic constructs (e.g., PROCEDURE), advanced process commands (e.g., KILL), largely underexplored. Although rarely triggered by typical inputs, these features can lead to severe crashes or security issues when executed under edge-case conditions. In this paper, we present FuzzySQL, a novel LLM-powered adaptive fuzzing framework designed to uncover subtle vulnerabilities in DBMS special features. FuzzySQL combines grammar-guided SQL generation with logic-shifting progressive mutation, a novel technique that explores alternative control paths by negating conditions and restructuring execution logic, synthesizing structurally and semantically diverse test cases. To further ensure deeper execution coverage of the back end, FuzzySQL employs a hybrid error repair pipeline that unifies rule-based patching with LLM-driven semantic repair, enabling automatic correction of syntactic and context-sensitive failures. We evaluate FuzzySQL across multiple DBMSs, including MySQL, MariaDB, SQLite, PostgreSQL and Clickhouse, uncovering 37 vulnerabilities, 7 of which are tied to under-tested DBMS special features. As of this writing, 29 cases have been confirmed with 9 assigned CVE identifiers, 14 already fixed by vendors, and additional vulnerabilities scheduled to be patched in upcoming releases. Our results highlight the limitations of conventional fuzzers in semantic feature coverage and demonstrate the potential of LLM-based fuzzing to discover deeply hidden bugs in complex database systems.

Related papers

• ErrorLLM: Modeling SQL Errors for Text-to-SQL Refinement [57.98138819417949]
  We propose ErrorLLM, a framework that explicitly models text-to- querying.<n>We show that ErrorLLM achieves the most significant improvements over backbone initial generation.<n>ErrorLLM addresses both sides by high detection F1 score while maintaining refinement effectiveness.
  arXiv  Detail & Related papers  (2026-03-04T05:27:20Z)
• Text-to-SQL as Dual-State Reasoning: Integrating Adaptive Context and Progressive Generation [54.53145282349042]
  We introduce DSR-sourced, a textbfDual-textbfS textbfReasoning framework that models Text-to-context as an interaction between an adaptive context state and a progressive generation state.<n>Without any post-training or in-context examples, DSR-sourced achieves competitive performance, reaching 35.28% execution accuracy on Spider 2.0-Snow and 68.32% on BIRD development set.
  arXiv  Detail & Related papers  (2025-11-26T13:52:50Z)
• Automated Discovery of Test Oracles for Database Management Systems Using LLMs [13.143749352093474]
  This paper explores the use of large language models (LLMs) to automate the discovery and instantiation of test oracles.<n>LLMs are prone to hallucinations that can produce numerous false positive bug reports.<n>We introduce Argus, a novel framework built upon the core concept of the Constrained Abstract Query.
  arXiv  Detail & Related papers  (2025-10-08T05:29:11Z)
• LLM-Symbolic Integration for Robust Temporal Tabular Reasoning [69.27153114778748]
  We introduce TempTabQA-C, a synthetic dataset designed for systematic and controlled evaluations.<n>This structured approach allows Large Language Models (LLMs) to generate and executesql queries, enhancing generalization and mitigating biases.
  arXiv  Detail & Related papers  (2025-06-06T05:14:04Z)
• Testing Database Systems with Large Language Model Synthesized Fragments [3.3302293148249125]
  We propose ShQveL, an approach that augments existingsql test-case generators by leveraging Large Language Models (LLMs)<n>We evaluated ShQveL on 5 iterations and discovered 55 unique and previously unknown bugs, 50 of which were promptly fixed after our reports.
  arXiv  Detail & Related papers  (2025-05-04T06:48:01Z)
• CrackSQL: A Hybrid SQL Dialect Translation System Powered by Large Language Models [20.718779783349984]
  Crack is the first hybrid SQL dialect translation system that combines rule and LLM-based methods to overcome limitations.<n>Crack supports three translation modes and offers multiple deployment options including a web console interface, a PyPI package, and a command-line prompt.
  arXiv  Detail & Related papers  (2025-04-01T15:11:03Z)
• RSL-SQL: Robust Schema Linking in Text-to-SQL Generation [51.00761167842468]
  We propose a novel framework called RSL- that combines bidirectional schema linking, contextual information augmentation, binary selection strategy, and multi-turn self-correction. benchmarks demonstrate that our approach achieves SOTA execution accuracy among open-source solutions, with 67.2% on BIRD and 87.9% on GPT-4ocorrection. Our approach outperforms a series of GPT-4 based Text-to-Seek systems when adopting DeepSeek (much cheaper) with same intact prompts.
  arXiv  Detail & Related papers  (2024-10-31T16:22:26Z)
• SQLaser: Detecting DBMS Logic Bugs with Clause-Guided Fuzzing [17.421408394486072]
  Database Management Systems (DBMSs) are vital components in modern data-driven systems. Their complexity often leads to logic bugs, which can lead to incorrect query results, data exposure, unauthorized access, etc. Existing detection employs two strategies: rule-based bug detection and coverage-guided fuzzing.
  arXiv  Detail & Related papers  (2024-07-05T06:56:33Z)
• Unmasking Database Vulnerabilities: Zero-Knowledge Schema Inference Attacks in Text-to-SQL Systems [7.613758211231583]
  We introduce a novel zero-knowledge framework for reconstructing the underlying database schema of text-to-generative models without any prior knowledge of the database.<n>We demonstrate that our method achieves high accuracy in reconstructing table names, with F1 scores of up to.99 for generative models and.78 for fine-tuned models, underscoring the severity of schema leakage risks.
  arXiv  Detail & Related papers  (2024-06-20T17:54:33Z)
• SQL-PaLM: Improved Large Language Model Adaptation for Text-to-SQL (extended) [53.95151604061761]
  This paper introduces the framework for enhancing Text-to- filtering using large language models (LLMs) With few-shot prompting, we explore the effectiveness of consistency decoding with execution-based error analyses. With instruction fine-tuning, we delve deep in understanding the critical paradigms that influence the performance of tuned LLMs.
  arXiv  Detail & Related papers  (2023-05-26T21:39:05Z)
• Photon: A Robust Cross-Domain Text-to-SQL System [189.1405317853752]
  We present Photon, a robust, modular, cross-domain NLIDB that can flag natural language input to which a mapping cannot be immediately determined. The proposed method effectively improves the robustness of text-to-native system against untranslatable user input.
  arXiv  Detail & Related papers  (2020-07-30T07:44:48Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.