CRITICAL🇵🇱 Wersja polska

CVE-2024-8954

CVSS 9.8v3.0pub. 2025-03-20upd. 2025-07-15

In composiohq/composio version 0.5.10, the API does not validate the `x-api-key` header's value during the authentication step. This vulnerability allows an attacker to bypass authentication by providing any random value in the `x-api-key` header, thereby gaining unauthorized access to the server.

🤖 AI Analysis
How it works

The Composio application API accepts any arbitrary random value in the HTTP `x-api-key` header as a valid authentication key — without any verification of its correctness. An attacker sends a request to the API with the `x-api-key` header containing a random value, and the server treats such a request as authenticated. As a result, the authentication mechanism is completely ineffective and does not constitute any barrier to unauthorized access.

Impact

Attacker gains unauthorized access to the server with full privileges, which may lead to disclosure, modification, or destruction of processed data (high impact on confidentiality, integrity, and availability).

Mitigation & patch

Apply patches available from the vendor according to references. Immediate update to version higher than 0.5.10 is recommended, and temporary restriction of access to Composio API at the network level (firewall, ACL lists) until the fix is deployed.

Who is affected

Composio (composiohq/composio) version 0.5.10

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Composio

    APP
    Composio
    0.5.10
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2024-8953CRITICAL9.8PL ✓ten sam produkt

RCE w Composio przez niebezpieczne użycie eval() w kalkulatorze

CVE-2024-8958CRITICAL9.8PL ✓ten sam produkt

Composio: nieograniczony zapis/odczyt plików prowadzący do RCE

CVE-2025-56427HIGH7.5ten sam produkt

Directory Traversal vulnerability in ComposioHQ v.0.7.20 allows a remote attacker to obtain sensitive informat...

CVE-2024-8952HIGH7.5ten sam produkt

A Server-Side Request Forgery (SSRF) vulnerability exists in composiohq/composio version v0.4.2, specifically ...

CVE-2024-8955HIGH7.5ten sam produkt

A Server-Side Request Forgery (SSRF) vulnerability exists in composiohq/composio version v0.4.4. This vulnerab...