ComposioHQ Directory Traversal Vulnerability Allowing Arbitrary File Read

A directory traversal vulnerability has been identified in ComposioHQ version 0.7.20. This vulnerability allows remote attackers to access sensitive information by exploiting the '_download_file_or_dir' function. The issue arises because the function does not properly sanitize user-provided file paths, enabling attackers to use path traversal sequences or absolute paths to navigate outside the intended directory and access any file on the server's filesystem for which the application has read permissions.

Impact

Exploitation of this vulnerability could lead to unauthorized reading of files on the server, including sensitive information such as SSH keys, confidential data, internal configurations, and other critical files.

Reproduction

To reproduce this vulnerability, upload the Composio application and run the server on localhost port 8000. Once the server is running, send a GET request to the '/api/download' endpoint with a crafted file parameter that includes path traversal sequences. The server will respond with the contents of the requested file, demonstrating the successful exploitation of the vulnerability.