Описание
Composio Eval Injection Vulnerability
In composiohq/composio version 0.4.3, the mathematical_calculator endpoint uses the unsafe eval() function to perform mathematical operations. This can lead to arbitrary code execution if untrusted input is passed to the eval() function.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2024-8953
- https://github.com/ComposioHQ/composio/commit/ed82fb45dc9fbd7f07c535c72bada871c158ae5f
- https://github.com/ComposioHQ/composio/blob/b932d99e67f0fe95f8a0a24be9352e3f99059bc3/python/composio/tools/local/mathematical/actions/calculator.py#L37
- https://huntr.com/bounties/8203d721-e05f-4500-a5bc-c0bec980420c
Пакеты
Наименование
composio-core
pip
Затронутые версииВерсия исправления
< 0.5.43
0.5.43
Связанные уязвимости
CVSS3: 9.8
nvd
11 месяцев назад
In composiohq/composio version 0.4.3, the mathematical_calculator endpoint uses the unsafe eval() function to perform mathematical operations. This can lead to arbitrary code execution if untrusted input is passed to the eval() function.