HIGH 7.2
PYSEC-2026-1264
Composio Eval Injection Vulnerability
Details
In composiohq/composio version 0.4.3, the mathematical_calculator endpoint uses the unsafe eval() function to perform mathematical operations. This can lead to arbitrary code execution if untrusted input is passed to the eval() function.
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / composio-core
Introduced in:
0 Fixed in: 0.5.43 Fix
pip install --upgrade 'composio-core>=0.5.43' References
- https://nvd.nist.gov/vuln/detail/CVE-2024-8953 [ADVISORY]
- https://github.com/ComposioHQ/composio/commit/ed82fb45dc9fbd7f07c535c72bada871c158ae5f [WEB]
- https://github.com/ComposioHQ/composio-js [PACKAGE]
- https://github.com/ComposioHQ/composio/blob/b932d99e67f0fe95f8a0a24be9352e3f99059bc3/python/composio/tools/local/mathematical/actions/calculator.py#L37 [WEB]
- https://huntr.com/bounties/8203d721-e05f-4500-a5bc-c0bec980420c [WEB]
- https://pypi.org/project/composio-core [PACKAGE]
- https://github.com/advisories/GHSA-5xg7-5662-8x7j [ADVISORY]