CVE-2024-8958

In composiohq/composio version 0.4.3, there is an unrestricted file write and read vulnerability in the filetools actions. Due to improper validation of file paths, an attacker can read and write files anywhere on the server, potentially leading to privilege escalation or remote code execution.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/e152b094-0593-428e-b813-068d2390ce68	Exploit
https://huntr.com/bounties/e152b094-0593-428e-b813-068d2390ce68	Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:composio:composio:0.4.3:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-03-20 10:15

Updated : 2025-04-01 20:30

NVD link : CVE-2024-8958

Mitre link : CVE-2024-8958

CVE.ORG link : CVE-2024-8958

JSON object : View

Products Affected

composio

composio

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2024-8958", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}], "cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-03-20T10:15:45.220", "references": [{"url": "https://huntr.com/bounties/e152b094-0593-428e-b813-068d2390ce68", "tags": ["Exploit"], "source": "[email protected]"}, {"url": "https://huntr.com/bounties/e152b094-0593-428e-b813-068d2390ce68", "tags": ["Exploit"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "In composiohq/composio version 0.4.3, there is an unrestricted file write and read vulnerability in the filetools actions. Due to improper validation of file paths, an attacker can read and write files anywhere on the server, potentially leading to privilege escalation or remote code execution."}, {"lang": "es", "value": "En composiohq/composio versi\u00f3n 0.4.3, existe una vulnerabilidad de escritura y lectura de archivos sin restricciones en las acciones de filetools. Debido a la validaci\u00f3n incorrecta de las rutas de archivo, un atacante puede leer y escribir archivos en cualquier parte del servidor, lo que podr\u00eda provocar una escalada de privilegios o la ejecuci\u00f3n remota de c\u00f3digo."}], "lastModified": "2025-04-01T20:30:20.887", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:composio:composio:0.4.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17A3924D-B2D4-467A-935A-CF760AA17B7D"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}