Local File Inclusion Vulnerability in ModelScope AgentScope
CVE-2024-8550

Currently unrated

Key Information:

Vendor: Modelscope
Status: Modelscope/agentscope
Vendor: CVE Published:; 10 February 2025

What is CVE-2024-8550?

A Local File Inclusion vulnerability exists in the /load-workflow endpoint of ModelScope's AgentScope version 0.0.4. This flaw permits attackers to exploit the filename parameter, allowing unauthorized access to arbitrary files on the server, including sensitive information like API keys. The vulnerability stems from insufficient sanitization of user inputs passed to the os.path.join function, creating an opportunity for file traversal attacks and exposure of critical files outside the designated directory.

Affected Version(s)

modelscope/agentscope <= unspecified

References

https://huntr.com/bounties/7cd8f519-7c75-4936-889d-a17ea1...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 10, 2025
Vulnerability Reserved
Sep 6, 2024

CVE-2024-8550 Data

JSON

Modelscope

What is CVE-2024-8550?

Affected Version(s)

References

Timeline