5.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-8864

GHSA ID

GHSA-mrmh-3hqh-pfw7

EPSS Score

0.25996%

CWE

CWE-94

Published

9/16/2024

Updated

9/17/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-8864

CVE-2024-8864: Composio Code Injection Vulnerability

A vulnerability has been found in composiohq composio up to 0.5.6 and classified as critical. Affected by this vulnerability is the function Calculator of the file python/composio/tools/local/mathematical/actions/calculator.py. The manipulation leads to code injection. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

(GitHub Advisory)

5.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-8864

GHSA ID

GHSA-mrmh-3hqh-pfw7

EPSS Score

0.25996%

CWE

CWE-94

Published

9/16/2024

Updated

9/17/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
composio-core	pip	<= 0.5.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the Calculator action's execute method (line 29 in calculator.py) which uses eval() on unvalidated user input (request.operation). This violates CWE-94 as it allows code injection by passing malicious payloads in mathematical expressions. Multiple sources confirm the vulnerable pattern: 1) The GitHub code shows direct eval() usage, 2) CVE description explicitly mentions this function/file, 3) VulDB submission details the lack of input restrictions, and 4) The CVSS metrics align with code injection impacts. The combination of unsanitized eval usage and explicit vulnerability reports gives high confidence in this identification.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility **s ***n *oun* in *omposio*q *omposio up to *.*.* *n* *l*ssi*i** *s *riti**l. *****t** *y t*is vuln*r**ility is t** *un*tion **l*ul*tor o* t** *il* pyt*on/*omposio/tools/lo**l/m*t**m*ti**l/**tions/**l*ul*tor.py. T** m*nipul*tion l***s

Reasoning

T** vuln*r**ility st*ms *rom t** `**l*ul*tor` **tion's `*x**ut*` m*t*o* (lin* ** in `**l*ul*tor.py`) w*i** us*s `*v*l()` on unv*li**t** us*r input (`r*qu*st.op*r*tion`). T*is viol*t*s *W*-** *s it *llows *o** inj**tion *y p*ssin* m*li*ious p*ylo**s i

5.5

Basic Information

Concerned about an active attack path?

CVE-2024-8864: Composio Code Injection Vulnerability

5.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI