CVE-2024-8438 Overview
CVE-2024-8438 is a path traversal vulnerability [CWE-22] in ModelScope AgentScope version 0.0.4. The /api/file endpoint fails to sanitize the path parameter, allowing unauthenticated attackers to read arbitrary files on the host system. Remote attackers can retrieve sensitive files such as configuration data, credentials, and source code by supplying crafted path values containing directory traversal sequences.
Critical Impact
Unauthenticated remote attackers can read arbitrary files on servers running AgentScope 0.0.4 by sending crafted requests to the /api/file endpoint.
Affected Products
- ModelScope AgentScope 0.0.4
- Deployments exposing the AgentScope /api/file API endpoint
- Applications embedding vulnerable AgentScope components
Discovery Timeline
- 2025-03-20 - CVE-2024-8438 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-8438
Vulnerability Analysis
AgentScope is an open-source framework from ModelScope for building multi-agent applications powered by large language models. Version 0.0.4 exposes an HTTP API endpoint at /api/file intended to serve files needed by agents and the web interface.
The endpoint accepts a user-supplied path parameter and reads the referenced file from the local filesystem. The implementation does not validate that the resolved path stays inside an approved directory. Attackers can supply relative traversal sequences such as ../../../../etc/passwd to escape the intended base directory.
Because the endpoint requires no authentication, exploitation only requires network reachability to the AgentScope service. Successful requests return raw file contents to the caller, enabling disclosure of operating system files, application configuration, API tokens, model credentials, and private source code.
Root Cause
The root cause is missing input sanitization on the path parameter in the /api/file handler. The code concatenates or resolves user input against a base directory without canonicalization checks. Standard defenses such as os.path.realpath validation, allowlisting, or rejecting .. sequences are absent, matching the [CWE-22] pattern of improper limitation of a pathname to a restricted directory.
Attack Vector
Exploitation occurs over the network against the AgentScope HTTP service. An attacker issues a GET request to /api/file with a path value containing directory traversal sequences pointing to a target file outside the intended serving directory. The server reads the file and returns its contents in the HTTP response. No credentials, user interaction, or prior access are required. Additional technical details are available in the Huntr Bounty Listing.
Detection Methods for CVE-2024-8438
Indicators of Compromise
- HTTP requests to /api/file containing ../ sequences or URL-encoded variants such as %2e%2e%2f in the path parameter
- Requests referencing sensitive absolute paths such as /etc/passwd, /etc/shadow, .env, or id_rsa
- Anomalous outbound response sizes from the AgentScope service correlating with file read requests
- Access log entries showing repeated /api/file requests from a single source targeting varied paths
Detection Strategies
- Deploy web application firewall (WAF) rules that inspect the path query parameter for traversal patterns and encoded variants
- Alert on any request to /api/file where the resolved path falls outside the expected serving directory
- Correlate application logs with process telemetry to identify unexpected file reads triggered by the AgentScope service account
Monitoring Recommendations
- Enable verbose access logging on any reverse proxy fronting AgentScope and retain logs for retrospective hunting
- Monitor read access on high-value files such as /etc/passwd, SSH keys, and application secrets
- Track network egress from AgentScope hosts to detect exfiltration following successful file reads
How to Mitigate CVE-2024-8438
Immediate Actions Required
- Upgrade AgentScope beyond version 0.0.4 to a release that sanitizes the path parameter
- Restrict network exposure of the AgentScope service to trusted internal networks or authenticated reverse proxies
- Audit historical access logs for /api/file requests containing traversal patterns
- Rotate any credentials, API keys, or tokens stored on affected hosts if evidence of exploitation exists
Patch Information
Refer to the ModelScope AgentScope project for the fixed release addressing this issue. The vulnerability report and remediation status are tracked in the Huntr Bounty Listing. Confirm the deployed version reports higher than 0.0.4 and includes path canonicalization logic on the /api/file handler.
Workarounds
- Block /api/file at an upstream proxy until AgentScope is upgraded
- Add a WAF rule denying requests where the path parameter contains .., %2e%2e, or absolute path prefixes
- Run the AgentScope process under a low-privilege user with filesystem access limited to required directories
- Apply mandatory access controls (AppArmor, SELinux) restricting the service to a chrooted or namespaced directory tree
# Example nginx rule to block traversal attempts against /api/file
location /api/file {
if ($arg_path ~* "(\.\./|%2e%2e|^/)") {
return 403;
}
proxy_pass http://agentscope_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

