Platform
python
Component
modelscope/agentscope
CVE-2024-8524 describes a directory traversal vulnerability found in modelscope/agentscope, a Python package. This flaw allows an attacker to potentially read sensitive local JSON files by manipulating the /read-examples endpoint. The vulnerability impacts versions up to the latest release, and a fix is expected to be released by the maintainers. Prompt patching is advised to mitigate the risk.
The directory traversal vulnerability in modelscope/agentscope allows an attacker to bypass intended access controls and read arbitrary files on the server. Specifically, by crafting a malicious POST request to the /read-examples endpoint, an attacker can specify a path that leads to any file accessible by the application's user. This could expose configuration files, API keys, database credentials, or other sensitive data stored as JSON. The blast radius depends on the permissions of the application user; if the application runs with elevated privileges, the attacker could potentially access a wider range of files and data. While no direct remote code execution is possible, the exposure of sensitive data can lead to further compromise and lateral movement within the network.
CVE-2024-8524 was published on 2025-03-20. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available, but the vulnerability's nature makes it relatively easy to exploit. The CVSS score of 7.5 (HIGH) indicates a significant potential for exploitation.
Exploit Status
EPSS
0.67% (71% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-8524 is to upgrade to a patched version of modelscope/agentscope as soon as it becomes available. Until a patch is released, consider implementing input validation on the /read-examples endpoint to prevent attackers from manipulating the file path. A Web Application Firewall (WAF) could be configured to block requests containing suspicious path traversal sequences (e.g., ../). Monitor application logs for unusual file access patterns, particularly requests to the /read-examples endpoint. After upgrading, verify the fix by attempting to access a non-existent file through the /read-examples endpoint and confirming that access is denied.
Actualice la biblioteca modelscope/agentscope a una versión posterior a 0.0.4 que corrija la vulnerabilidad de path traversal. Esto evitará que atacantes lean archivos JSON locales arbitrarios. Consulte las notas de la versión o el registro de cambios para obtener detalles sobre la corrección.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-8524 is a directory traversal vulnerability in modelscope/agentscope allowing attackers to read local JSON files via the /read-examples endpoint.
You are affected if you are using modelscope/agentscope version 0.0.4 or earlier.
Upgrade to a patched version of modelscope/agentscope as soon as it becomes available. Implement input validation on the /read-examples endpoint as a temporary workaround.
There is currently no indication of active exploitation, but the vulnerability's ease of exploitation warrants prompt mitigation.
Refer to the modelscope/agentscope project's repository or official communication channels for updates and advisories regarding CVE-2024-8524.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.