CRITICAL🇵🇱 Wersja polska

CVE-2024-8953

CVSS 9.8v3.1pub. 2025-03-20upd. 2025-04-01

In composiohq/composio version 0.4.3, the mathematical_calculator endpoint uses the unsafe eval() function to perform mathematical operations. This can lead to arbitrary code execution if untrusted input is passed to the eval() function.

🤖 AI Analysis
How it works

The mathematical_calculator endpoint accepts user input and passes it directly to the eval() function to perform mathematical operations. The eval() function interprets the passed string as code and executes it in the application context. An attacker can craft a malicious payload instead of a mathematical expression and thus trigger arbitrary code execution on the server side.

Impact

An attacker without any privileges can remotely execute arbitrary code on the server (RCE), which may result in complete system takeover, data theft, backdoor installation, or service disruption.

Mitigation & patch

Patches available from the vendor should be applied according to the references. It is recommended to replace the eval() function with a secure library for parsing mathematical expressions and implement strict validation and sanitization of input data on the server side.

Who is affected

Composio version 0.4.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Composio

    APP
    Composio
    0.4.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2024-8954CRITICAL9.8PL ✓ten sam produkt

Pominięcie uwierzytelnienia w Composio przez brak walidacji nagłówka x-api-key

CVE-2024-8958CRITICAL9.8PL ✓ten sam produkt

Composio: nieograniczony zapis/odczyt plików prowadzący do RCE

CVE-2025-56427HIGH7.5ten sam produkt

Directory Traversal vulnerability in ComposioHQ v.0.7.20 allows a remote attacker to obtain sensitive informat...

CVE-2024-8952HIGH7.5ten sam produkt

A Server-Side Request Forgery (SSRF) vulnerability exists in composiohq/composio version v0.4.2, specifically ...

CVE-2024-8955HIGH7.5ten sam produkt

A Server-Side Request Forgery (SSRF) vulnerability exists in composiohq/composio version v0.4.4. This vulnerab...