HIGH 7.2
PYSEC-2026-1264
Composio Eval Injection Vulnerability
상세
In composiohq/composio version 0.4.3, the mathematical_calculator endpoint uses the unsafe eval() function to perform mathematical operations. This can lead to arbitrary code execution if untrusted input is passed to the eval() function.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://nvd.nist.gov/vuln/detail/CVE-2024-8953 [ADVISORY]
- https://github.com/ComposioHQ/composio/commit/ed82fb45dc9fbd7f07c535c72bada871c158ae5f [WEB]
- https://github.com/ComposioHQ/composio-js [PACKAGE]
- https://github.com/ComposioHQ/composio/blob/b932d99e67f0fe95f8a0a24be9352e3f99059bc3/python/composio/tools/local/mathematical/actions/calculator.py#L37 [WEB]
- https://huntr.com/bounties/8203d721-e05f-4500-a5bc-c0bec980420c [WEB]
- https://pypi.org/project/composio-core [PACKAGE]
- https://github.com/advisories/GHSA-5xg7-5662-8x7j [ADVISORY]