CVE-2024-8953: Composio Eval Injection Vulnerability
(updated )
In composiohq/composio version 0.4.3, the mathematical_calculator endpoint uses the unsafe eval() function to perform mathematical operations. This can lead to arbitrary code execution if untrusted input is passed to the eval() function.
References
- github.com/ComposioHQ/composio-js
- github.com/ComposioHQ/composio/blob/b932d99e67f0fe95f8a0a24be9352e3f99059bc3/python/composio/tools/local/mathematical/actions/calculator.py
- github.com/ComposioHQ/composio/commit/ed82fb45dc9fbd7f07c535c72bada871c158ae5f
- github.com/advisories/GHSA-5xg7-5662-8x7j
- huntr.com/bounties/8203d721-e05f-4500-a5bc-c0bec980420c
- nvd.nist.gov/vuln/detail/CVE-2024-8953
Code Behaviors & Features
Detect and mitigate CVE-2024-8953 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →