CVE-2024-8502 Overview
A critical insecure deserialization vulnerability exists in the RpcAgentServerLauncher class of modelscope/agentscope v0.0.6a3. This vulnerability allows remote code execution (RCE) through the deserialization of untrusted data using the dill library. The flaw is present in the AgentServerServicer.create_agent method, where serialized input is processed using dill.loads, enabling attackers to execute arbitrary commands on the server without authentication.
Critical Impact
Attackers can achieve complete server compromise through unauthenticated remote code execution by sending malicious serialized payloads to the AgentScope RPC server.
Affected Products
- modelscope/agentscope v0.0.6a3
- AgentScope RPC Server components using RpcAgentServerLauncher
- Systems utilizing AgentServerServicer.create_agent method with untrusted input
Discovery Timeline
- 2025-03-20 - CVE CVE-2024-8502 published to NVD
- 2025-03-20 - Last updated in NVD database
Technical Details for CVE-2024-8502
Vulnerability Analysis
This vulnerability is classified as CWE-502 (Deserialization of Untrusted Data). The root issue lies in the AgentScope framework's handling of serialized data within its RPC (Remote Procedure Call) server implementation. When processing agent creation requests, the AgentServerServicer.create_agent method deserializes incoming data using Python's dill library without proper validation or sanitization.
The dill library extends Python's pickle module with additional serialization capabilities, but inherits the same fundamental security concern: deserialized data can include arbitrary Python objects that execute code during the deserialization process. By crafting a malicious payload that includes code execution primitives, an attacker can trigger arbitrary command execution on the target server when the payload is processed by dill.loads.
This attack requires no authentication and can be executed remotely over the network, making it particularly dangerous for exposed AgentScope deployments.
Root Cause
The vulnerability stems from the use of dill.loads() to deserialize untrusted input in the AgentServerServicer.create_agent method. The dill library, like pickle, allows arbitrary Python object serialization including callable objects and code execution primitives. When untrusted data is passed to dill.loads(), an attacker can craft a serialized payload containing malicious code that executes during the deserialization process.
The fundamental issue is trusting client-supplied serialized data without implementing proper input validation, sanitization, or using a safe serialization format like JSON for agent creation parameters.
Attack Vector
The attack vector is network-based with no authentication required. An attacker can send a specially crafted RPC request to the AgentScope server containing a malicious serialized payload. When the create_agent method processes this request and calls dill.loads() on the attacker-controlled data, the malicious payload executes arbitrary code with the privileges of the AgentScope server process.
The vulnerability manifests in the AgentServerServicer.create_agent method where user-controlled serialized data is passed directly to dill.loads(). For technical details on the vulnerability mechanics, refer to the Huntr Bug Bounty Submission.
Detection Methods for CVE-2024-8502
Indicators of Compromise
- Unexpected network connections from the AgentScope server to external destinations
- Unusual process spawning by the AgentScope server process
- Suspicious RPC requests to the agent creation endpoint with abnormally large or encoded payloads
- Anomalous system command execution traced back to the Python interpreter running AgentScope
Detection Strategies
- Monitor network traffic to AgentScope RPC endpoints for unusual serialized payloads or unexpected request patterns
- Implement application-level logging for all create_agent method invocations and analyze payload characteristics
- Deploy intrusion detection rules to identify dill/pickle deserialization attack patterns in network traffic
- Use runtime application security monitoring to detect unexpected code execution paths during deserialization
Monitoring Recommendations
- Enable verbose logging for the AgentScope RPC server to capture all incoming agent creation requests
- Monitor process behavior for the AgentScope server, alerting on child process spawning or network connections
- Implement network segmentation to limit exposure of AgentScope RPC services
- Review access logs for the RPC endpoints for signs of reconnaissance or exploitation attempts
How to Mitigate CVE-2024-8502
Immediate Actions Required
- Restrict network access to AgentScope RPC services to trusted hosts only using firewall rules
- Disable the RPC agent server functionality if not required for operations
- Implement network segmentation to isolate AgentScope deployments from untrusted networks
- Audit existing deployments for signs of compromise before applying fixes
Patch Information
At the time of publication, users should check the modelscope/agentscope GitHub repository for updated versions that address this vulnerability. The issue was reported through the Huntr Bug Bounty program. Users should upgrade to a patched version as soon as one becomes available from the vendor.
Workarounds
- Implement network-level access controls to restrict RPC server access to trusted IP addresses only
- Deploy a web application firewall (WAF) or reverse proxy to filter malicious serialized payloads
- Consider replacing dill deserialization with a safer serialization format like JSON for agent parameters
- Run the AgentScope server in a sandboxed environment with limited privileges to reduce impact of exploitation
# Example: Restrict access to AgentScope RPC port using iptables
# Replace 12345 with actual RPC port and 10.0.0.0/8 with trusted network
iptables -A INPUT -p tcp --dport 12345 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 12345 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
