repository icon
composiohq / composio Project repository

Composio equip's your AI agents & LLMs with 100+ high-quality integrations via function calling

Submit a report

FIRST INTERACTION

WITHINN/A DAYS

REVIEW

WITHIN13 DAYS

FIX

WITHINN/A DAYS

Arbitrary Local File Read via LLM-Controlled file_uploadable Path — No Directory...
snailsploit
self closed
SSRF via file_uploadable URL Fetch — No IP Filtering in _fetch_file_from_url()
snailsploit
self closed
Arbitrary file write via path traversal in FileDownloadable.write()
lexi-core-ai
pending
SSRF via proxy() tool endpoint — unvalidated user-controlled URL in HTTP request...
odysseypro25-project
pending
Unsafe deserialization via pickle in Composio tool and action serialization
etwithin
pending
Path Traversal in FileDownloadable.download() Allows Arbitrary File Write via Ma...
galanzi2580-wq
duplicate
High
Path Traversal in FileDownloadable.download() — Arbitrary File Write via Malicio...
nottiboy137
duplicate
Critical
Path Traversal in FileDownloadable.download() allows arbitrary file write
optimus-fulcria
duplicate
Medium
FileDownloadable Path Traversal + Arbitrary File Read via LLM-Controlled Paramet...
iiviel
pending
API Key Exposure in Debug Logs (TypeScript SDK)
aydinnyunus
pending
Remote Code Execution via Malicious Tool Upload
pricx
pending
Local File Read (LFI) via download API
pricx
pending
@app.get("/api/download") : Path Injection
im-soohyun
pending
Insecure Temporary File in Composio
ralph13
pending
RCE via malicious pip package
lyutoon
duplicate
Critical
Unauthenticated DoS via multipart boundry
mnqazi
informative
High
server.api Remote Command Injection & Unauthorized File Deletion Vulnerability
morphykutay
duplicate
Critical
Cross-Site Request Forgery (CSRF)
mnqazi
duplicate
High
Local File Inclusion
mnqazi
duplicate
High
server.api Path Traversal
morphykutay
duplicate
High
Dangers subprocess.Popen in SHELLTOOL_SPAWN_PROCESS tool
12end
duplicate
High
Dangers eval in MATHEMATICAL tool
12end
duplicate
High
Unauthenticated arbitrary file read in api/download
r00tuser111
duplicate
High
Missing validation step for `x-api-key` lead to authentication bypass
vtgsxx
Critical
$900CVE-2024-8954
Arbitrary File Read via /api/download
vtgsxx
duplicate
High
@app.get("/api/download") : Path Injection
im-soohyun
duplicate
High
Email Check Bypass via Case Manipulation in "Add Member" Functionality
elcapitanoo7x
not applicable
1-Click Account Takeover via "Add Member" Functionality
elcapitanoo7x
not applicable
Insecure Direct Object Reference (IDOR) in Integration Information
elcapitanoo7x
not applicable
There is an arbitrary file read vulnerability at /api/download.
aftersnows
duplicate
High
Path Traversal Vulnerability in File Search Function
amdjedbens
informative
Medium
Composio's Local tools Mathematical has a code injection risk
aftersnows
duplicate
Critical
Remote Code Execution via POST /api/actions/execute/FILETOOL_GIT_PATCH API end p...
zpbrent
informative
Critical
SSRF via POST /api/actions/execute/WEBTOOL_SCRAPE_WEBSITE_CONTENT and WEBTOOL_SC...
zpbrent
duplicate
Critical
Remote Code Execution via POST /api/actions/execute/FILETOOL_GIT_CLONE API end p...
zpbrent
duplicate
Critical
Arbitrary File Write via POST /api/actions/execute/FILETOOL_CREATE_FILE + FILETO...
zpbrent
duplicate
Critical
Local File Read (LFI) via POST /api/actions/execute/FILETOOL_OPEN_FILE API end p...
zpbrent
duplicate
High
Remote Code Execution via POST /api/actions/execute/MATHEMATICAL_CALCULATOR API...
zpbrent
duplicate
Critical
Remote Code Execution via Dependency Injection in` /api/tools` Endpoint in compo...
cyfra07
duplicate
Critical
path traversal at API /api/actions/execute/FILETOOL_SEARCH_WORD - Allows attack...
nam-no
duplicate
High
Code Injection
azqzazq1
duplicate
Critical
Code Execution with `/api/tools`
0gur1
duplicate
High
Arbitrary code execution with action `SHELL_EXEC_COMMAND`
0gur1
duplicate
High
Arbitrary File Read/Download vulnerability via Composio Server
7resp4ss
duplicate
High
Path Traversal
azqzazq1
duplicate
High
Code Injection
azqzazq1
duplicate
Critical
Remote Code Execution via Arbitrary Python Code Injection in /api/tools Endpoint
cyfra07
duplicate
Critical
Local File Inclusion (LFI) in /api/download Endpoint Allows Unauthorized File Ac...
cyfra07
duplicate
High
CSRF in /api/apps/update
hainguyen0207
duplicate
Medium
Command Injection in Gitcmdtool
hainguyen0207
informative
Critical
SSRF in BROWSERTOOL
hainguyen0207
Medium
$75CVE-2024-8955
Os Command in api/actions/execute/SHELL_SPAWN_PROCESS
hainguyen0207
duplicate
Critical
Command Injection in SEARCHTOOL
hainguyen0207
informative
Critical
Command Injection in FILEEDITTOOL
hainguyen0207
informative
Critical
Create, Overwrite any file in the system
hainguyen0207
duplicate
Critical
Local File Inclusion in composio tooling server
virusday
duplicate
High
Path Traversal - Change recent folders, view list contents, any file in FILETOOL
hainguyen0207
informative
High
SSRF in /api/actions/execute/WEBTOOL_SCRAPE_WEBSITE_ELEMENT
hainguyen0207
informative
High
Arbitrary file writing can lead to RCE via FILETOOL_WRITE Action
vn-ncvinh
duplicate
Critical
Unrestricted File write, read, git clone in filetools actions
rook1337
High
$450CVE-2024-8958
OS Command Injection in FILETOOL_GIT_CLONE Action
vn-ncvinh
informative
Critical
Remote-Code Exeution via dynamic module importing | Arbitray File Overwrite | Pi...
retr0reg
duplicate
Critical
LFIs at "/api/download"
retr0reg
duplicate
High
Unauthenticated Code execution in shell_exec tools
rook1337
duplicate
Critical
RCE via SHELL_SPAWN_PROCESS Action
vn-ncvinh
informative
Critical
RCE via SHELL_EXEC_COMMAND Action
vn-ncvinh
informative
Critical
SSRF in WEBTOOL_SCRAPE_WEBSITE_CONTENT Action
vn-ncvinh
duplicate
High
RCE through pip install not safe dependencies
vn-ncvinh
duplicate
Critical
Remote Code Execution by calling public API `/api/tools`
lyutoon
duplicate
Critical
Local File Read (LFI) by public API `/api/download`
lyutoon
duplicate
High
RCE via /api/tools
vn-ncvinh
duplicate
Critical
RCE via MATHEMATICAL_CALCULATOR
vn-ncvinh
duplicate
Critical
Unsafe eval usage in mathematical_calculator endpoint
rook1337
High
$450CVE-2024-8953
Code Injection at API /api/tools
ngductung
duplicate
Critical
Unauthenticated command injection on /api/tools endpoint
rook1337
duplicate
Critical
Remote Code Execution via POST /api/tools API end point
zpbrent
informative
Critical
Unauthenticated path traversal on /api/download feature
rook1337
duplicate
Critical
Site-Wide Cross-Site Request Forgery (CSRF)
0xanis
informative
High
Local File Read (LFI) via GET /api/download API end point
zpbrent
duplicate
High
Remote Code execution via arbitrary python code execution
winters0x64
duplicate
Critical
Code Injection
0xanis
informative
Critical
Local FIle Inclusion
0xanis
duplicate
High
I will update later
hainguyen0207
spam
SSRF in /api/actions/execute/WEBTOOL_SCRAPE_WEBSITE_CONTENT
hainguyen0207
Medium
$75CVE-2024-8952
Path traversal leads to view any files
fewword
duplicate
High
Path Traversal at /api/tools
kienzx203
informative
High
Path Traversal in API `/api/download`
duongli99
informative
High
huntr: composiohq/composio