Plattform
python
Komponente
agentscope
Behoben in
0.0.5
CVE-2024-8438 describes a path traversal vulnerability discovered in Agentscope, a Python-based tool. This flaw allows unauthorized access to sensitive files on the server by manipulating the path parameter within the /api/file API endpoint. Versions of Agentscope prior to 0.0.4 are affected, and a fix is expected to be released by the Agentscope development team.
The path traversal vulnerability in Agentscope allows an attacker to bypass intended access controls and read arbitrary files on the server hosting the application. This could include sensitive configuration files, source code, database credentials, or other confidential data. Successful exploitation could lead to complete compromise of the server and its data. The attacker could potentially gain access to the entire file system, depending on the permissions of the user account running the Agentscope application.
This vulnerability was publicly disclosed on 2025-03-20. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 7.5 (HIGH) indicates a significant risk, and it is recommended to apply mitigations promptly. This vulnerability is not currently listed on CISA KEV.
Organizations deploying Agentscope in production environments, particularly those with sensitive data stored on the same server, are at risk. Environments with weak access controls or inadequate input validation practices are especially vulnerable. Shared hosting environments where Agentscope is installed alongside other applications could also be affected if the vulnerability is exploited to gain access to other tenants' data.
• python / agentscope:
import requests
import os
url = 'http://your-agentscope-server/api/file' # Replace with your server
try:
# Attempt to read a sensitive file
response = requests.get(url + '?path=/etc/passwd')
if response.status_code == 200:
print('Potential Path Traversal Detected!')
print(response.text)
else:
print('No Path Traversal Detected.')
except requests.exceptions.RequestException as e:
print(f'Error: {e}')• generic web:
curl 'http://your-agentscope-server/api/file?path=../../../../etc/passwd' -s | grep 'root:'disclosure
Exploit-Status
EPSS
0.19% (41% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-8438 is to upgrade Agentscope to a version that includes the necessary fix. As no fixed version is currently specified, closely monitor the Agentscope project's repository and release notes for updates. Until a patch is available, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious path traversal sequences (e.g., ../). Restrict access to the /api/file endpoint to trusted sources only. Regularly review file system permissions to ensure the Agentscope application runs with the least privilege necessary.
Actualice la biblioteca modelscope/agentscope a una versión posterior a la 0.0.4 que corrija la vulnerabilidad de path traversal. Consulte las notas de la versión o el registro de cambios para obtener más detalles sobre la corrección. Si no hay una versión corregida disponible, considere aplicar un parche temporal para validar y limpiar el parámetro 'path' antes de usarlo para acceder a archivos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-8438 is a Path Traversal vulnerability in Agentscope versions up to 0.0.4, allowing attackers to read arbitrary files on the server via the /api/file endpoint.
You are affected if you are using Agentscope version 0.0.4 or earlier. Upgrade to a patched version as soon as possible.
The primary fix is to upgrade to a patched version of Agentscope. Until then, implement WAF rules and strict input validation on the /api/file endpoint.
There is currently no evidence of CVE-2024-8438 being actively exploited, but the vulnerability poses a significant risk.
Refer to the Agentscope project's official repository or website for updates and advisories related to CVE-2024-8438.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.