CVE-2024-8955
Published: 20 March 2025
Description
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Security Summary
CVE-2024-8955 is a Server-Side Request Forgery (SSRF) vulnerability in composiohq/composio version v0.4.4. The issue resides in the BROWSERTOOL_GOTO_PAGE and BROWSERTOOL_GET_PAGE_DETAILS actions, which can be exploited to read the contents of any file on the affected system. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-918.
An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. By sending crafted requests to the vulnerable actions, the attacker achieves arbitrary file read access on the server, resulting in high confidentiality impact but no integrity or availability disruption.
Mitigation details are available in the advisory published on Huntr at https://huntr.com/bounties/13bc0399-2d9b-449e-95f2-6e9a7e39383d.
Details
- CWE(s)
Affected Products
AI Security Analysis
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- Composio is an open-source platform for integrating tools and actions with AI agents, including browser tools like BROWSERTOOL_GOTO_PAGE and BROWSERTOOL_GET_PAGE_DETAILS, which are exploited in this SSRF vulnerability. Reported on an AI/ML bug bounty platform.
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SSRF vulnerability enables arbitrary local file reads, facilitating T1005 (Data from Local System) for collecting data from files and T1552.001 (Credentials in Files) for accessing unsecured credentials.