CVE-2024-8489 Overview
CVE-2024-8489 is a Cross-Site Request Forgery (CSRF) vulnerability in the AgentScope Studio backend server from modelscope/agentscope. The flaw stems from overly permissive Cross-Origin Resource Sharing (CORS) headers on the backend API. An attacker who tricks an authenticated user into visiting a malicious page can issue cross-origin requests to any backend endpoint. The most damaging vector abuses the api/file endpoint to read arbitrary files from the target's local file system. The issue affects the latest commit on the main branch at the time of reporting (21161fe). This weakness is tracked under CWE-352: Cross-Site Request Forgery.
Critical Impact
Attackers can read arbitrary files from a victim's local file system by luring an AgentScope Studio user to a malicious web page.
Affected Products
- modelscope/agentscope AgentScope Studio backend server
- Main branch commit 21161fe
- Deployments exposing the AgentScope Studio API to authenticated browser sessions
Discovery Timeline
- 2025-03-20 - CVE-2024-8489 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-8489
Vulnerability Analysis
AgentScope Studio ships a backend HTTP server that returns permissive CORS headers on all responses. The server allows cross-origin requests without validating the request origin or requiring CSRF tokens on state-changing or data-returning endpoints. Any browser that has an active session with an AgentScope Studio instance can be coerced by a third-party site into issuing authenticated requests. The attacker controls only the outbound request, but the browser attaches the victim's session context automatically.
The api/file endpoint returns file contents from the host running the Studio backend. Because CORS permits arbitrary origins to read responses, JavaScript on an attacker-controlled page can exfiltrate the response body. This converts a browser-level CSRF into a full arbitrary file read primitive against the developer workstation or server hosting AgentScope Studio.
Root Cause
The root cause is a misconfigured CORS policy that reflects or wildcards the Access-Control-Allow-Origin header while allowing credentials. The backend does not enforce same-origin restrictions, does not require anti-CSRF tokens, and does not validate the Origin or Referer header on sensitive endpoints. See the Huntr Bounty Report for reproduction details.
Attack Vector
Exploitation requires user interaction: the victim must visit a malicious page while AgentScope Studio is running on their machine or reachable network. The attacker's page issues a fetch or XMLHttpRequest call to the Studio backend, targeting endpoints such as api/file with a chosen file path parameter. The permissive CORS policy lets the attacker's JavaScript read the response and forward it to an external server. No credentials or privileges are required on the attacker side beyond delivering the malicious URL.
Detection Methods for CVE-2024-8489
Indicators of Compromise
- Unexpected outbound requests from a workstation to AgentScope Studio endpoints originating from browser processes rather than the Studio UI tab.
- HTTP access logs on the Studio backend showing requests to api/file with Origin headers pointing to unknown third-party domains.
- Sequential requests enumerating sensitive paths such as /etc/passwd, SSH keys, or configuration files via the api/file endpoint.
Detection Strategies
- Inspect HTTP response headers from the Studio backend for wildcard or reflected Access-Control-Allow-Origin values combined with Access-Control-Allow-Credentials: true.
- Alert on api/file requests whose Referer or Origin header does not match the expected Studio host.
- Correlate browser telemetry with backend logs to identify cross-origin data reads that exfiltrate file content.
Monitoring Recommendations
- Log all requests to AgentScope Studio API endpoints, capturing Origin, Referer, and request paths.
- Monitor for outbound network transfers immediately following cross-origin API responses on developer workstations.
- Track file paths accessed via api/file and flag any access outside the project working directory.
How to Mitigate CVE-2024-8489
Immediate Actions Required
- Restrict AgentScope Studio to bind only to 127.0.0.1 and block remote or cross-network access.
- Do not browse untrusted web content on machines where AgentScope Studio is running.
- Terminate the Studio backend when not in active use to eliminate the browser-attached attack surface.
Patch Information
No fixed version is listed in the NVD entry at time of publication. Consult the Huntr Bounty Report and the modelscope/agentscope repository for the latest remediation status before upgrading past commit 21161fe.
Workarounds
- Configure the backend CORS policy to allow only the trusted Studio UI origin and reject wildcard origins.
- Place AgentScope Studio behind a reverse proxy that enforces Origin and Referer validation on api/file and other sensitive endpoints.
- Add anti-CSRF tokens or a custom request header check that browsers cannot set on simple cross-origin requests.
- Run AgentScope Studio inside an isolated user account or container with read access limited to project files only.
# Configuration example: restrict Studio to loopback and validate Origin at the proxy
# nginx snippet in front of AgentScope Studio
server {
listen 127.0.0.1:8080;
location /api/ {
if ($http_origin !~ "^https?://127\.0\.0\.1(:[0-9]+)?$") {
return 403;
}
proxy_pass http://127.0.0.1:5000;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

