CVE-2024-8958

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-8958

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-8958.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-8958

Published

2025-03-20T10:15:45.220Z

Modified

2026-04-10T05:21:03.379555Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In composiohq/composio version 0.4.3, there is an unrestricted file write and read vulnerability in the filetools actions. Due to improper validation of file paths, an attacker can read and write files anywhere on the server, potentially leading to privilege escalation or remote code execution.

References

https://huntr.com/bounties/e152b094-0593-428e-b813-068d2390ce68

Affected packages

Git / github.com/composiohq/composio

Affected ranges

Type

GIT

Repo

https://github.com/composiohq/composio

Events

Introduced

Last affected

21484af4fb04f58d580763e685836921295a2d67

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.4.3"
        }
    ]
}

Affected versions

v0.*

v0.2.16

v0.2.17

v0.2.18

v0.2.19

v0.2.20

v0.2.21

v0.2.22

v0.2.23

v0.3.0

v0.3.10

v0.3.11

v0.3.12

v0.3.13

v0.3.14

v0.3.15

v0.3.16

v0.3.17

v0.3.18

v0.3.19

v0.3.2

v0.3.20

v0.3.21

v0.3.22

v0.3.23

v0.3.24

v0.3.25

v0.3.26

v0.3.28

v0.3.29

v0.3.3

v0.3.30

v0.3.4

v0.3.5

v0.3.6

v0.3.7

v0.3.7.1

v0.3.8

v0.3.9

v0.3.9-rc.1

v0.3.9-rc.2

v0.3.9-rc.3

v0.3.9rc4

v0.4.0

v0.4.1

v0.4.2

v0.4.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-8958.json"