CVE-2024-8953
Published: 20 March 2025
Description
Adversaries may abuse Python commands and scripts for execution.
Security Summary
CVE-2024-8953 affects composiohq/composio version 0.4.3, where the mathematical_calculator endpoint improperly uses the unsafe eval() function to perform mathematical operations. This vulnerability, associated with CWE-627 (Dynamic Code Evaluation) and CWE-913 (Improper Control of Dynamically-Managed Code Resources), enables arbitrary code execution when untrusted input is passed to the eval() function. The issue has a CVSS v3.1 base score of 9.8, reflecting its critical severity due to high impacts on confidentiality, integrity, and availability.
The vulnerability is exploitable over the network with low attack complexity, requiring no privileges, no user interaction, and maintaining an unchanged scope. Remote attackers can send crafted input to the mathematical_calculator endpoint, triggering arbitrary code execution on the server hosting the affected composio instance. Successful exploitation grants attackers full control over the system, potentially leading to data theft, modification, or denial of service.
The primary advisory is available on Huntr at https://huntr.com/bounties/8203d721-e05f-4500-a5bc-c0bec980420c, which details the vulnerability report. Security practitioners should consult this reference for specific patch information or workarounds, as no additional mitigation details are provided in the CVE metadata. Upgrading to a fixed version of composiohq/composio beyond 0.4.3 is recommended to address the eval() misuse.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes remote unauthenticated arbitrary code execution via unsafe eval() in a public-facing mathematical_calculator endpoint of a web application, directly enabling T1190 (Exploit Public-Facing Application) for initial access and T1059.006 (Python) as the scripting interpreter abused for code execution.