CVE-2024-8953
Published: 20 March 2025
Summary
CVE-2024-8953 is a critical-severity Dynamic Variable Evaluation (CWE-627) vulnerability in Composio Composio. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely identification, reporting, and correction of flaws like the unsafe eval() usage in composiohq/composio, directly preventing arbitrary code execution.
SI-10 mandates validation of untrusted inputs to the mathematical_calculator endpoint, blocking malicious expressions from triggering code execution via eval().
RA-5 ensures vulnerability scanning detects CVE-2024-8953 in composiohq/composio and triggers remediation to mitigate remote code execution risks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes remote unauthenticated arbitrary code execution via unsafe eval() in a public-facing mathematical_calculator endpoint of a web application, directly enabling T1190 (Exploit Public-Facing Application) for initial access and T1059.006 (Python) as the scripting interpreter abused for code execution.
NVD Description
In composiohq/composio version 0.4.3, the mathematical_calculator endpoint uses the unsafe eval() function to perform mathematical operations. This can lead to arbitrary code execution if untrusted input is passed to the eval() function.
Deeper analysisAI
CVE-2024-8953 affects composiohq/composio version 0.4.3, where the mathematical_calculator endpoint improperly uses the unsafe eval() function to perform mathematical operations. This vulnerability, associated with CWE-627 (Dynamic Code Evaluation) and CWE-913 (Improper Control of Dynamically-Managed Code Resources), enables arbitrary code execution when untrusted input is passed to the eval() function. The issue has a CVSS v3.1 base score of 9.8, reflecting its critical severity due to high impacts on confidentiality, integrity, and availability.
The vulnerability is exploitable over the network with low attack complexity, requiring no privileges, no user interaction, and maintaining an unchanged scope. Remote attackers can send crafted input to the mathematical_calculator endpoint, triggering arbitrary code execution on the server hosting the affected composio instance. Successful exploitation grants attackers full control over the system, potentially leading to data theft, modification, or denial of service.
The primary advisory is available on Huntr at https://huntr.com/bounties/8203d721-e05f-4500-a5bc-c0bec980420c, which details the vulnerability report. Security practitioners should consult this reference for specific patch information or workarounds, as no additional mitigation details are provided in the CVE metadata. Upgrading to a fixed version of composiohq/composio beyond 0.4.3 is recommended to address the eval() misuse.
Details
- CWE(s)