CVE-2024-8953
HIGH7.2EPSS 0.27%Composio Eval Injection Vulnerability
發布日:2025/3/20修改日:2025/3/22
描述
In composiohq/composio version 0.4.3, the mathematical_calculator endpoint uses the unsafe eval() function to perform mathematical operations. This can lead to arbitrary code execution if untrusted input is passed to the eval() function.
受影響套件(1)
- PyPI/composio-corefrom 0, < 0.5.43
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.2 | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-8953
- PATCHhttps://github.com/ComposioHQ/composio-js
- WEBhttps://github.com/ComposioHQ/composio/blob/b932d99e67f0fe95f8a0a24be9352e3f99059bc3/python/composio/tools/local/mathematical/actions/calculator.py#L37
- WEBhttps://github.com/ComposioHQ/composio/commit/ed82fb45dc9fbd7f07c535c72bada871c158ae5f
- WEBhttps://huntr.com/bounties/8203d721-e05f-4500-a5bc-c0bec980420c