CVE Vulnerabilities

CVE-2024-8953

Dynamic Variable Evaluation

Published: Mar 20, 2025 | Modified: Apr 01, 2025
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu

In composiohq/composio version 0.4.3, the mathematical_calculator endpoint uses the unsafe eval() function to perform mathematical operations. This can lead to arbitrary code execution if untrusted input is passed to the eval() function.

Weakness

In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.

Affected Software

Name Vendor Start Version End Version
Composio Composio 0.4.3 (including) 0.4.3 (including)

Potential Mitigations

References