Plattform
python
Komponente
modelscope/agentscope
CVE-2024-8524 describes a directory traversal vulnerability discovered in modelscope/agentscope, a Python package. This flaw allows an attacker to read arbitrary local JSON files by manipulating the /read-examples endpoint. The vulnerability impacts all versions of modelscope/agentscope up to the latest available. A fix is expected in a future release.
The primary impact of CVE-2024-8524 is unauthorized access to sensitive data stored in JSON files on the server. An attacker exploiting this vulnerability could potentially read configuration files, API keys, or other sensitive information that could be used to compromise the system further. While the vulnerability itself doesn't grant remote code execution, the information gained could be leveraged for privilege escalation or lateral movement within the network. The blast radius depends on the sensitivity of the JSON files accessible through this endpoint and the attacker's ability to exploit the obtained information.
This vulnerability was publicly disclosed on 2025-03-20. Currently, there are no known public exploits or active campaigns targeting CVE-2024-8524. The vulnerability is not listed on the CISA KEV catalog. The ease of exploitation is relatively low due to the need for crafting specific POST requests, but the potential impact warrants attention.
Organizations using modelscope/agentscope in their Python applications, particularly those deploying it in environments where sensitive data is stored as JSON files, are at risk. This includes developers integrating agentscope into their AI workflows and those using it in shared hosting environments where file system access might be less restricted.
• python / server:
import requests
url = 'http://your-target-server/read-examples'
payload = {'file': '..//../../../../etc/passwd'}
response = requests.post(url, data=payload)
if 'root:' in response.text:
print('Potential vulnerability detected!')
else:
print('No vulnerability detected.')• generic web:
curl -X POST http://your-target-server/read-examples -d 'file=../../../../etc/passwd' | grep 'root:'disclosure
Exploit-Status
EPSS
0.67% (71% Perzentil)
CISA SSVC
CVSS-Vektor
Due to the lack of a specific fixed version, immediate mitigation focuses on restricting access to the /read-examples endpoint. Implement strong authentication and authorization controls to limit who can access this endpoint. Consider using a Web Application Firewall (WAF) to filter requests and block those containing malicious path traversal sequences. Input validation on the /read-examples endpoint is crucial to prevent attackers from manipulating the file path. Regularly review and update the modelscope/agentscope package to benefit from future security patches.
Actualice la biblioteca modelscope/agentscope a una versión posterior a 0.0.4 que corrija la vulnerabilidad de path traversal. Esto evitará que atacantes lean archivos JSON locales arbitrarios. Consulte las notas de la versión o el registro de cambios para obtener detalles sobre la corrección.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-8524 is a directory traversal vulnerability in modelscope/agentscope allowing attackers to read local JSON files via the /read-examples endpoint.
You are affected if you are using modelscope/agentscope version 0.0.4 or earlier.
Upgrade to a patched version of modelscope/agentscope as soon as it becomes available. Implement input validation on the /read-examples endpoint as a temporary workaround.
There is currently no indication of active exploitation, but the vulnerability's ease of exploitation warrants prompt mitigation.
Refer to the modelscope/agentscope project's repository or official communication channels for updates and advisories regarding CVE-2024-8524.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.