CRITICAL🇵🇱 Wersja polska

CVE-2024-8958

CVSS 9.8v3.1pub. 2025-03-20upd. 2025-04-01

In composiohq/composio version 0.4.3, there is an unrestricted file write and read vulnerability in the filetools actions. Due to improper validation of file paths, an attacker can read and write files anywhere on the server, potentially leading to privilege escalation or remote code execution.

🤖 AI Analysis
How it works

The vulnerability (CWE-434) lies in the fact that filetools actions in Composio do not properly validate paths provided by the user. An attacker can pass crafted paths (e.g., using path traversal sequences) to gain access to arbitrary locations in the server's file system. By leveraging the ability to write files to selected locations, an attacker can, for example, replace configuration files, startup scripts, or place malicious executable code, which can consequently lead to taking control of the server.

Impact

An attacker can read sensitive data stored on the server (including credentials, private keys) and write malicious files to any location on the system, enabling privilege escalation or full remote code execution on the server.

Mitigation & patch

Apply patches available from the vendor according to the references. Additionally, it is recommended to restrict network access to the Composio instance exclusively to trusted hosts and monitor activity in the filetools module until the update is deployed.

Who is affected

Composio (composiohq/composio) version 0.4.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Composio

    APP
    Composio
    0.4.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCELPE
CWE
References

Related vulnerabilities

CVE-2024-8953CRITICAL9.8PL ✓ten sam produkt

RCE w Composio przez niebezpieczne użycie eval() w kalkulatorze

CVE-2024-8954CRITICAL9.8PL ✓ten sam produkt

Pominięcie uwierzytelnienia w Composio przez brak walidacji nagłówka x-api-key

CVE-2025-56427HIGH7.5ten sam produkt

Directory Traversal vulnerability in ComposioHQ v.0.7.20 allows a remote attacker to obtain sensitive informat...

CVE-2024-8952HIGH7.5ten sam produkt

A Server-Side Request Forgery (SSRF) vulnerability exists in composiohq/composio version v0.4.2, specifically ...

CVE-2024-8955HIGH7.5ten sam produkt

A Server-Side Request Forgery (SSRF) vulnerability exists in composiohq/composio version v0.4.4. This vulnerab...