Homepage

composio-core@0.5.30 vulnerabilities

Core package to act as a bridge between composio platform and other services.

  • latest version

    0.7.15

  • first published

    1 years ago

  • latest version published

    12 days ago

  • licenses detected

  • View composio-core package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the composio-core package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Dynamic Variable Evaluation

    composio-core is a Core package to act as a bridge between composio platform and other services.

    Affected versions of this package are vulnerable to Dynamic Variable Evaluation through the eval function in the mathematical_calculator endpoint. An attacker can execute arbitrary code by injecting malicious input into the function.

    How to fix Dynamic Variable Evaluation?

    Upgrade composio-core to version 0.5.43 or higher.

    [,0.5.43)
    • M
    Server-side Request Forgery (SSRF)

    composio-core is a Core package to act as a bridge between composio platform and other services.

    Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through the /api/actions/execute/WEBTOOL_SCRAPE_WEBSITE_CONTENT endpoint. An attacker with high privileges can read files, access AWS metadata, and interact with local services on the system by sending crafted requests to the affected endpoint.

    How to fix Server-side Request Forgery (SSRF)?

    There is no fixed version for composio-core.

    [0,)
    • M
    Improper Neutralization of Data within XPath Expressions ('XPath Injection')

    composio-core is a Core package to act as a bridge between composio platform and other services.

    Affected versions of this package are vulnerable to Improper Neutralization of Data within XPath Expressions ('XPath Injection') via the BROWSERTOOL_GOTO_PAGE and BROWSERTOOL_GET_PAGE_DETAILS actions. An attacker can read the contents of any file on the system by sending crafted requests.

    How to fix Improper Neutralization of Data within XPath Expressions ('XPath Injection')?

    There is no fixed version for composio-core.

    [0,)
    • H
    Arbitrary Command Injection

    composio-core is a Core package to act as a bridge between composio platform and other services.

    Affected versions of this package are vulnerable to Arbitrary Command Injection via the handle_tool_calls function due to improper user input sanitization.

    How to fix Arbitrary Command Injection?

    Upgrade composio-core to version 0.6.9 or higher.

    [,0.6.9)
    • M
    Code Injection

    composio-core is a Core package to act as a bridge between composio platform and other services.

    Affected versions of this package are vulnerable to Code Injection in the Calculator class, which passes arbitrary input to the eval() function.

    How to fix Code Injection?

    Upgrade composio-core to version or higher.

    [0,)
    Go back to all versions of this package