Cyber Resilience

CVE-2024-8958

CriticalPublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
01 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0127 79.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-8958 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Composio Composio. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).

Deeper analysis

CVE-2024-8958 is an unrestricted file write and read vulnerability in the filetools actions of composiohq/composio version 0.4.3. The issue stems from improper validation of file paths, enabling attackers to access and modify files anywhere on the server. Published on 2025-03-20, it is associated with CWE-434 and carries a CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting critical severity due to high impacts on confidentiality, integrity, and availability.

Remote unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By manipulating file paths in filetools actions, they can read sensitive files or write arbitrary content, potentially achieving privilege escalation or remote code execution on the affected server.

Mitigation details are available in the advisory published on Huntr at https://huntr.com/bounties/e152b094-0593-428e-b813-068d2390ce68. Security practitioners should review this reference for patch information and remediation steps specific to composio version 0.4.3.

EU & UK References

Vulnerability details

In composiohq/composio version 0.4.3, there is an unrestricted file write and read vulnerability in the filetools actions. Due to improper validation of file paths, an attacker can read and write files anywhere on the server, potentially leading to privilege escalation…

more

or remote code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

The vulnerability is a remote unauthenticated path traversal flaw in a public-facing application enabling arbitrary file read/write, directly mapping to T1190 for initial access and facilitating T1005 for collecting data from the local system.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-8952Same product: Composio Composio
CVE-2024-8953Same product: Composio Composio
CVE-2024-8955Same product: Composio Composio
CVE-2025-57795Shared CWE-434
CVE-2020-37117Shared CWE-434
CVE-2024-56975Shared CWE-434
CVE-2019-25580Shared CWE-434
CVE-2026-27636Shared CWE-434
CVE-2026-4809Shared CWE-434
CVE-2020-37090Shared CWE-434

Affected Assets

composio
composio
0.4.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the improper validation of file paths by requiring checks on information inputs to block path traversal attacks enabling arbitrary file read/write.

prevent

Restricts file path inputs to organization-defined safe locations, preventing attackers from specifying arbitrary paths to access or modify files anywhere on the server.

prevent

Enforces least privilege on processes handling file operations, limiting the scope of damage from successful arbitrary file read/write or potential privilege escalation.

References