Platform
python
Component
agentscope
Fixed in
0.0.5
CVE-2024-8438 describes a path traversal vulnerability discovered in Agentscope, a Python-based tool, specifically impacting versions up to 0.0.4. This flaw allows unauthorized access to sensitive files on the server. The vulnerability resides within the /api/file API endpoint, where insufficient sanitization of the path parameter enables attackers to bypass intended access controls. A fix is available, and users are strongly advised to upgrade.
The primary impact of CVE-2024-8438 is the potential for attackers to read arbitrary files from the server hosting Agentscope. By manipulating the path parameter in the /api/file endpoint, an attacker can bypass security measures and access files they should not have access to. This could include sensitive configuration files, source code, database credentials, or other confidential data. Successful exploitation could lead to data breaches, system compromise, and potentially, further lateral movement within the network if the accessed files contain credentials or other sensitive information. The blast radius depends on the permissions of the user running the Agentscope process and the files accessible from that location.
CVE-2024-8438 was publicly disclosed on 2025-03-20. There is no indication of this vulnerability being actively exploited at the time of writing. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The severity is rated as HIGH (CVSS 7.5), indicating a significant risk if exploited.
Exploit Status
EPSS
0.19% (41% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2024-8438 is to upgrade to a patched version of Agentscope as soon as it becomes available. Until a patch is applied, several workarounds can be implemented to reduce the risk. Implement a Web Application Firewall (WAF) rule to block requests containing suspicious characters or patterns in the path parameter. Strict input validation on the /api/file endpoint is crucial; ensure that the path parameter is properly sanitized and validated against an allowlist of expected values. Consider restricting access to the /api/file endpoint to trusted networks or users. Monitor access logs for unusual activity related to the /api/file endpoint.
Actualice la biblioteca modelscope/agentscope a una versión posterior a la 0.0.4 que corrija la vulnerabilidad de path traversal. Consulte las notas de la versión o el registro de cambios para obtener más detalles sobre la corrección. Si no hay una versión corregida disponible, considere aplicar un parche temporal para validar y limpiar el parámetro 'path' antes de usarlo para acceder a archivos.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-8438 is a Path Traversal vulnerability in Agentscope versions up to 0.0.4, allowing attackers to read arbitrary files on the server via the /api/file endpoint.
You are affected if you are using Agentscope version 0.0.4 or earlier. Upgrade to a patched version as soon as possible.
The primary fix is to upgrade to a patched version of Agentscope. Until then, implement WAF rules and strict input validation on the /api/file endpoint.
There is currently no evidence of CVE-2024-8438 being actively exploited, but the vulnerability poses a significant risk.
Refer to the Agentscope project's official repository or website for updates and advisories related to CVE-2024-8438.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.