CVE-2024-8958

In composiohq/composio version 0.4.3, there is an unrestricted file write and read vulnerability in the filetools actions. Due to improper validation of file paths, an attacker can read and write files anywhere on the server, potentially leading to privilege escalation or remote code execution.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/e152b094-0593-428e-b813-068d2390ce68	Exploit
https://huntr.com/bounties/e152b094-0593-428e-b813-068d2390ce68	Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:composio:composio:0.4.3:*:*:*:*:*:*:*

History

01 Apr 2025, 20:30

Type	Values Removed	Values Added
References	~~() https://huntr.com/bounties/e152b094-0593-428e-b813-068d2390ce68 -~~	() https://huntr.com/bounties/e152b094-0593-428e-b813-068d2390ce68 - Exploit
CVSS	v2 : ~~unknown~~ v3 : ~~7.2~~	v2 : unknown v3 : 9.8
First Time		Composio composio Composio
CPE		cpe:2.3:a:composio:composio:0.4.3:::::::*

20 Mar 2025, 14:15

Type	Values Removed	Values Added
References	~~() https://huntr.com/bounties/e152b094-0593-428e-b813-068d2390ce68 -~~	() https://huntr.com/bounties/e152b094-0593-428e-b813-068d2390ce68 -
Summary		(es) En composiohq/composio versión 0.4.3, existe una vulnerabilidad de escritura y lectura de archivos sin restricciones en las acciones de filetools. Debido a la validación incorrecta de las rutas de archivo, un atacante puede leer y escribir archivos en cualquier parte del servidor, lo que podría provocar una escalada de privilegios o la ejecución remota de código.

20 Mar 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-20 10:15

Updated : 2025-04-01 20:30

NVD link : CVE-2024-8958

Mitre link : CVE-2024-8958

CVE.ORG link : CVE-2024-8958

JSON object : View

Products Affected

composio

composio

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2024-8958", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-03-20T10:15:45.220", "references": [{"url": "https://huntr.com/bounties/e152b094-0593-428e-b813-068d2390ce68", "tags": ["Exploit"], "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/e152b094-0593-428e-b813-068d2390ce68", "tags": ["Exploit"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "In composiohq/composio version 0.4.3, there is an unrestricted file write and read vulnerability in the filetools actions. Due to improper validation of file paths, an attacker can read and write files anywhere on the server, potentially leading to privilege escalation or remote code execution."}, {"lang": "es", "value": "En composiohq/composio versi\u00f3n 0.4.3, existe una vulnerabilidad de escritura y lectura de archivos sin restricciones en las acciones de filetools. Debido a la validaci\u00f3n incorrecta de las rutas de archivo, un atacante puede leer y escribir archivos en cualquier parte del servidor, lo que podr\u00eda provocar una escalada de privilegios o la ejecuci\u00f3n remota de c\u00f3digo."}], "lastModified": "2025-04-01T20:30:20.887", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:composio:composio:0.4.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17A3924D-B2D4-467A-935A-CF760AA17B7D"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}