AI Threat Alert

CVE-2024-53526: Composio: command injection in AI agent tool calls

GHSA-8h93-28hg-fj84 MEDIUM PoC AVAILABLE
Published January 8, 2025
CISO Take

Composio versions 0.5.40–0.6.8 allow OS command injection through the handle_tool_calls function in its OpenAI, Claude, and Julep integrations — any AI agent pipeline using these packages is exposed. Upgrade to 0.6.9 immediately. The CVSS scope change (S:C) means a compromised agent process can pivot to other system components, elevating the real-world impact beyond the base score.

What is the risk?

Rated medium (CVSS 6.4) but contextually elevated for AI agent deployments. Network-accessible with low privileges required and no user interaction needed. Scope change indicates blast radius extends beyond the vulnerable component. EPSS is low (0.75%) and not in CISA KEV, but composio is widely adopted in agentic AI stacks — the attack surface is material. Organizations running composio-based agents in production should treat this as high urgency.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenAI Python pip >= 0.5.40, < 0.6.9 0.6.9
31.0K OpenSSF 6.9 16.6K dependents Pushed 6d ago 14% patched ~23d to patch Full package profile →
composio-claude pip >= 0.5.40, < 0.6.9 0.6.9
composio-julep pip >= 0.5.40, < 0.6.9 0.6.9

How severe is it?

CVSS 3.1
6.4 / 10
EPSS
0.6%
chance of exploitation in 30 days
Higher than 43% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Changed
C Low
I Low
A None

What should I do?

5 steps

  1. Upgrade composio-openai, composio-claude, and composio-julep to >= 0.6.9 immediately.

  2. If patching is blocked, restrict network access to services using these packages and implement compensating controls at the network perimeter.

  3. Audit all uses of handle_tool_calls in your codebase for any custom wrappers that may replicate the pattern.

  4. Detect exploitation by monitoring for anomalous subprocess spawning from AI agent processes — unexpected shell invocations, child processes from Python interpreters, or lateral movement from agent hosts.

  5. Apply least-privilege to agent runtime environments to limit blast radius in case of exploitation.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Agent API AML.T0010.001 AML.T0049 AML.T0050 AML.T0051.001 AML.T0053

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 - Risk management system
ISO 42001
A.5.5 - AI system supply chain
NIST AI RMF
GOVERN 1.7 - Processes for identifying and managing AI risks across the lifecycle
OWASP LLM Top 10
LLM02 - Insecure Output Handling LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-53526?

Composio versions 0.5.40–0.6.8 allow OS command injection through the handle_tool_calls function in its OpenAI, Claude, and Julep integrations — any AI agent pipeline using these packages is exposed. Upgrade to 0.6.9 immediately. The CVSS scope change (S:C) means a compromised agent process can pivot to other system components, elevating the real-world impact beyond the base score.

Is CVE-2024-53526 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-53526, increasing the risk of exploitation.

How to fix CVE-2024-53526?

1. Upgrade composio-openai, composio-claude, and composio-julep to >= 0.6.9 immediately. 2. If patching is blocked, restrict network access to services using these packages and implement compensating controls at the network perimeter. 3. Audit all uses of handle_tool_calls in your codebase for any custom wrappers that may replicate the pattern. 4. Detect exploitation by monitoring for anomalous subprocess spawning from AI agent processes — unexpected shell invocations, child processes from Python interpreters, or lateral movement from agent hosts. 5. Apply least-privilege to agent runtime environments to limit blast radius in case of exploitation.

What systems are affected by CVE-2024-53526?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM tool-use pipelines, AI orchestration layers, multi-agent systems.

What is the CVSS score for CVE-2024-53526?

CVE-2024-53526 has a CVSS v3.1 base score of 6.4 (MEDIUM). The EPSS exploitation probability is 0.57%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM tool-use pipelinesAI orchestration layersmulti-agent systems

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0051.001 Indirect
AML.T0053 AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: A.5.5
NIST AI RMF: GOVERN 1.7
OWASP LLM Top 10: LLM02, LLM05

What are the technical details?

Original Advisory

composio >=0.5.40 is vulnerable to Command Execution in composio_openai, composio_claude, and composio_julep via the handle_tool_calls function.

Exploitation Scenario

An attacker with low-privilege access to an application backed by a composio agent crafts tool call parameters containing shell metacharacters (e.g., semicolons, backticks, or pipe operators). When the LLM returns a tool call response incorporating these inputs, handle_tool_calls passes them unsanitized to command execution. In a more sophisticated chain, an adversary uses indirect prompt injection — embedding malicious instructions into data the LLM ingests (emails, documents, web pages) — causing the LLM itself to generate the malicious tool call payload. From there, the attacker gains arbitrary code execution on the agent host and can pivot to connected services, exfiltrate API keys from environment variables, or establish persistence.

Weaknesses (CWE)

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') Primary

CWE-77 — Improper Neutralization of Special Elements used in a Command ('Command Injection'): The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

  • [Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
  • [Implementation] If possible, ensure that all external commands called from the program are statically created.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

References

Timeline

Published
January 8, 2025
Last Modified
January 31, 2025
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same package: openai
CRITICAL CVE-2023-3686 9.8

QuickAI: unauthenticated SQLi exposes OpenAI API keys

Same package: openai
HIGH CVE-2025-66786 7.5

OAI CN5G AMF: unauthenticated JSON DoS on 5G SBI interface

Same package: openai
HIGH CVE-2025-65805 7.5

OAI CN5G AMF: Unauthenticated buffer overflow, RCE/DoS

Same package: openai
MEDIUM CVE-2025-26265 6.5

openairinterface5g: segfault enables DoS via crafted UE message

Same package: openai
Back to Threat Feed