CVE-2024-8953

CRITICAL

composio < 0.5.43 - Remote Code Execution via Mathematical Calculator Endpoint

Title source: llm

Description

In composiohq/composio version 0.4.3, the mathematical_calculator endpoint uses the unsafe eval() function to perform mathematical operations. This can lead to arbitrary code execution if untrusted input is passed to the eval() function.

References (1)

Core 1

Core References

Exploit

https://huntr.com/bounties/8203d721-e05f-4500-a5bc-c0bec980420c

Scores

CVSS v3 9.8

EPSS 0.0103

EPSS Percentile 59.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-627 CWE-913

Status published

Products (2)

composio/composio 0.4.3

pypi/composio-core 0 - 0.5.43PyPI

Published Mar 20, 2025

Tracked Since Feb 18, 2026