In composiohq/composio version 0.5.10, the API does not validate the `x-api-key` header's value during the authentication step. This vulnerability allows an attacker to bypass authentication by providing any random value in the `x-api-key` header, thereby gaining unauthorized access to the server.
The Composio application API accepts any arbitrary random value in the HTTP `x-api-key` header as a valid authentication key — without any verification of its correctness. An attacker sends a request to the API with the `x-api-key` header containing a random value, and the server treats such a request as authenticated. As a result, the authentication mechanism is completely ineffective and does not constitute any barrier to unauthorized access.
Attacker gains unauthorized access to the server with full privileges, which may lead to disclosure, modification, or destruction of processed data (high impact on confidentiality, integrity, and availability).
Apply patches available from the vendor according to references. Immediate update to version higher than 0.5.10 is recommended, and temporary restriction of access to Composio API at the network level (firewall, ACL lists) until the fix is deployed.
Composio (composiohq/composio) version 0.5.10
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HComposio
APPComposio0.5.10
Related vulnerabilities
RCE w Composio przez niebezpieczne użycie eval() w kalkulatorze
Composio: nieograniczony zapis/odczyt plików prowadzący do RCE
Directory Traversal vulnerability in ComposioHQ v.0.7.20 allows a remote attacker to obtain sensitive informat...
A Server-Side Request Forgery (SSRF) vulnerability exists in composiohq/composio version v0.4.2, specifically ...
A Server-Side Request Forgery (SSRF) vulnerability exists in composiohq/composio version v0.4.4. This vulnerab...