Platform
python
Component
modelscope/agentscope
CVE-2024-8551 describes a path traversal vulnerability affecting modelscope/agentscope versions up to the latest release. This flaw allows attackers to bypass intended file system restrictions, potentially gaining unauthorized access to sensitive data. The vulnerability resides within the save-workflow and load-workflow functionalities, and a fix is available. Prompt patching is recommended to prevent exploitation.
The path traversal vulnerability in modelscope/agentscope allows an attacker to manipulate file paths, effectively bypassing security controls. This means an attacker can read and write arbitrary JSON files on the server's file system. The potential impact is significant: attackers could expose configuration files containing API keys, database credentials, or other sensitive information. They could also modify these files to inject malicious code or alter the application's behavior. The ability to write arbitrary files could lead to remote code execution if the application processes the modified JSON files without proper validation. This vulnerability presents a high risk of data breach and system compromise.
CVE-2024-8551 was published on 2025-03-20. The vulnerability's severity is rated as CRITICAL (CVSS 9.1). As of this writing, there are no publicly known proof-of-concept exploits. It is not currently listed on the CISA KEV catalog. The ease of exploitation is likely moderate, given the path traversal nature of the vulnerability, but requires access to the save-workflow or load-workflow functionality.
Exploit Status
EPSS
0.24% (47% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-8551 is to upgrade to a patched version of modelscope/agentscope. Consult the project's repository or release notes for the latest version containing the fix. If upgrading immediately is not feasible, consider implementing temporary workarounds such as restricting file system access for the agentscope process to only necessary directories. Implement strict input validation on any user-supplied file paths used in the save-workflow and load-workflow functions. Monitor file system activity for unexpected file creations or modifications, particularly in sensitive directories.
Update the modelscope/agentscope library to the latest available version. This will resolve the path traversal vulnerability. Ensure you verify the release notes for any additional upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-8551 is a critical path traversal vulnerability in modelscope/agentscope allowing attackers to read/write arbitrary JSON files, potentially exposing sensitive data.
Yes, if you are using modelscope/agentscope versions prior to the fix, you are vulnerable to this path traversal attack.
Upgrade to the latest version of modelscope/agentscope, which includes a patch for this vulnerability. Consult the project's repository for release details.
As of now, there are no publicly known active exploitation campaigns targeting CVE-2024-8551, but the vulnerability's severity warrants immediate attention.
Refer to the modelscope/agentscope project's repository or release notes for the official advisory and details on the fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.