CVE-2024-8955 in composio
Summary
by MITRE • 03/20/2025
A Server-Side Request Forgery (SSRF) vulnerability exists in composiohq/composio version v0.4.4. This vulnerability allows an attacker to read the contents of any file in the system by exploiting the BROWSERTOOL_GOTO_PAGE and BROWSERTOOL_GET_PAGE_DETAILS actions.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/16/2025
The CVE-2024-8955 vulnerability represents a critical server-side request forgery flaw in the composiohq/composio v0.4.4 framework that exposes systems to arbitrary file reading capabilities. This vulnerability specifically targets two core actions within the framework: BROWSERTOOL_GOTO_PAGE and BROWSERTOOL_GET_PAGE_DETAILS, which are designed to facilitate browser automation and web page interaction. The flaw enables remote attackers to manipulate these actions in ways that bypass normal access controls and gain unauthorized access to system files. The vulnerability stems from insufficient input validation and sanitization of URLs and file paths passed to these browser automation functions, creating a pathway for malicious actors to traverse the file system and retrieve sensitive data.
From a technical perspective, the vulnerability operates by exploiting the lack of proper URL scheme validation and path traversal controls within the composio framework's browser automation components. When the BROWSERTOOL_GOTO_PAGE and BROWSERTOOL_GET_PAGE_DETAILS actions process user-supplied input, they fail to adequately validate whether the requested resources are legitimate web addresses or malicious file paths. This allows attackers to craft requests that direct the framework to access local files through protocols like file:// or other bypass mechanisms, effectively circumventing the intended web browsing restrictions. The vulnerability aligns with CWE-918, which specifically addresses server-side request forgery vulnerabilities, and demonstrates how improper input handling can lead to unauthorized system access. The flaw particularly leverages the framework's trust in user-provided URLs without sufficient validation, creating a dangerous attack surface that can be exploited through carefully constructed malicious requests.
The operational impact of CVE-2024-8955 extends far beyond simple information disclosure, as it provides attackers with the capability to access sensitive system files including configuration files, database credentials, application source code, and potentially system-level information. This vulnerability can be exploited in various attack scenarios, including reconnaissance phases where attackers gather system information, privilege escalation attempts through credential exposure, and potentially complete system compromise if sensitive files containing authentication tokens or private keys are accessible. The vulnerability's exploitation does not require elevated privileges, making it particularly dangerous as it can be leveraged by any remote attacker with access to the affected system. This weakness can also serve as a stepping stone for further attacks, potentially enabling lateral movement within networks or facilitating more sophisticated exploitation techniques.
Organizations utilizing composiohq/composio v0.4.4 should implement immediate mitigations to address this vulnerability, including thorough input validation for all URL and file path parameters within the affected actions. The recommended approach involves implementing strict URL scheme validation that rejects non-http/https protocols and implementing comprehensive path traversal detection mechanisms. Additionally, the framework should enforce proper access controls and privilege separation to limit the scope of files that can be accessed through the browser automation functions. Security teams should also consider implementing network segmentation and monitoring for suspicious URL patterns that may indicate exploitation attempts. The vulnerability demonstrates the importance of the principle of least privilege and proper input sanitization, as outlined in the mitre ATT&CK framework's reconnaissance and credential access phases. Organizations should also establish monitoring procedures to detect anomalous file access patterns that may indicate exploitation of similar SSRF vulnerabilities in their environments.