CVE-2024-8955: composio allows Server-Side Request Forgery (SSRF) in BROWSERTOOL

March 20, 2025 (updated March 21, 2025)

A Server-Side Request Forgery (SSRF) vulnerability exists in composiohq/composio version v0.4.4. This vulnerability allows an attacker to read the contents of any file in the system by exploiting the BROWSERTOOL_GOTO_PAGE and BROWSERTOOL_GET_PAGE_DETAILS actions.

References

github.com/ComposioHQ/composio
github.com/ComposioHQ/composio/blob/master/python/composio/tools/local/browsertool/actions/goto_page.py
github.com/advisories/GHSA-38mg-wm59-g64x
huntr.com/bounties/13bc0399-2d9b-449e-95f2-6e9a7e39383d
nvd.nist.gov/vuln/detail/CVE-2024-8955

Detect and mitigate CVE-2024-8955 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →