CVE-2024-8953
Composio Eval Injection Vulnerability
7.2
HIGH
CVSS 3.1
EPSS 0.27%
Description
In composiohq/composio version 0.4.3, the mathematical_calculator endpoint uses the unsafe eval() function to perform mathematical operations. This can lead to arbitrary code execution if untrusted input is passed to the eval() function.
How to fix CVE-2024-8953
To remediate CVE-2024-8953, upgrade the affected package to a fixed version below.
- PyPI/composio-core—upgrade to 0.5.43 or later
Is CVE-2024-8953 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 0.5.43
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.2 | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
References (5)
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-8953
- PATCHgithub.com/ComposioHQ/composio-js
- WEBgithub.com/ComposioHQ/composio/blob/b932d99e67f0fe95f8a0a24be9352e3f99059bc3/python/composio/tools/local/mathematical/actions/calculator.py#L37
- WEBgithub.com/ComposioHQ/composio/commit/ed82fb45dc9fbd7f07c535c72bada871c158ae5f