Composio
CVE-2024-8953
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 15 pypi packages depend on composio-core (11 direct, 4 indirect)
Ecosystem-wide dependent count for version 0.5.43.
DescriptionCVE.org
In composiohq/composio version 0.4.3, the mathematical_calculator endpoint uses the unsafe eval() function to perform mathematical operations. This can lead to arbitrary code execution if untrusted input is passed to the eval() function.
AnalysisAI
In composiohq/composio version 0.4.3, the mathematical_calculator endpoint uses the unsafe eval() function to perform mathematical operations. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-627. In composiohq/composio version 0.4.3, the mathematical_calculator endpoint uses the unsafe eval() function to perform mathematical operations. This can lead to arbitrary code execution if untrusted input is passed to the eval() function. Affected products include: Composio. Version information: version 0.4.3.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
In composiohq/composio version 0.5.10, the API does not validate the `x-api-key` header's value during the authenticatio
Directory Traversal vulnerability in ComposioHQ v.0.7.20 allows a remote attacker to obtain sensitive information via th
A Server-Side Request Forgery (SSRF) vulnerability exists in composiohq/composio version v0.4.4. Rated high severity (CV
A vulnerability was found in composiohq composio up to 0.5.8 and classified as problematic. Rated medium severity (CVSS
A vulnerability has been found in composiohq composio up to 0.5.6 and classified as critical. Rated medium severity (CVS
In composiohq/composio version 0.4.3, there is an unrestricted file write and read vulnerability in the filetools action
A Server-Side Request Forgery (SSRF) vulnerability exists in composiohq/composio version v0.4.2, specifically in the /ap
composio >=0.5.40 is vulnerable to Command Execution in composio_openai, composio_claude, and composio_julep via the han
Same weakness CWE-627 – Dynamic Variable Evaluation
View allShare
External POC / Exploit Code
Leaving vuln.today