Skip to main content
CVE Vulnerability Database

CVE-2024-8524: Modelscope Agentscope Path Traversal

CVE-2024-8524 is a directory traversal vulnerability in Modelscope Agentscope version 0.0.4 that allows attackers to read local JSON files via the /read-examples endpoint. This article covers technical details, impact, and mitigation.

Published:

CVE-2024-8524 Overview

CVE-2024-8524 is a directory traversal vulnerability in Modelscope AgentScope version 0.0.4. The flaw resides in the /read-examples endpoint, which fails to sanitize user-supplied file paths before reading local files. An unauthenticated remote attacker can send a crafted POST request to retrieve arbitrary JSON files from the host filesystem.

The issue is tracked under CWE-22: Improper Limitation of a Pathname to a Restricted Directory. Because exploitation requires no authentication and no user interaction, any AgentScope deployment exposed to untrusted networks is at risk of confidentiality loss.

Critical Impact

Unauthenticated attackers can read arbitrary local JSON files, exposing configuration data, credentials, or model metadata stored on the AgentScope host.

Affected Products

  • Modelscope AgentScope 0.0.4
  • Deployments exposing the /read-examples HTTP endpoint
  • Applications embedding AgentScope 0.0.4 as a dependency

Discovery Timeline

  • 2025-03-20 - CVE-2024-8524 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-8524

Vulnerability Analysis

AgentScope exposes an HTTP endpoint at /read-examples intended to serve example JSON files bundled with the application. The endpoint accepts a filename parameter through a POST request and reads the referenced file from disk. The handler concatenates the user input into a filesystem path without normalizing or validating it against an allowlisted base directory.

An attacker supplies path traversal sequences such as ../../ to escape the intended examples directory. The server resolves the traversal and returns the contents of the target file to the caller. The response is limited to JSON-formatted content, so the impact is primarily confidentiality of structured configuration and metadata files.

The vulnerability affects confidentiality but not integrity or availability. The endpoint only reads files and does not permit writes or code execution. However, JSON files on AI application hosts often contain API keys, model configuration, and infrastructure secrets useful for follow-on attacks.

Root Cause

The root cause is missing input validation on the filename parameter. The handler does not canonicalize the resolved path or verify it remains within the designated examples directory. Standard defenses such as os.path.realpath checks or allowlist matching are absent.

Attack Vector

Exploitation is straightforward. An attacker with network reachability to the AgentScope service sends a POST request to /read-examples containing traversal sequences in the filename field. The server responds with the contents of the referenced JSON file. No credentials, sessions, or prior interaction are required.

The vulnerability manifests in the file-loading logic of the /read-examples endpoint. See the Huntr bounty listing for reproduction details.

Detection Methods for CVE-2024-8524

Indicators of Compromise

  • HTTP POST requests to /read-examples containing ../ or URL-encoded %2e%2e%2f sequences in the request body.
  • Responses from AgentScope returning JSON content that does not match files under the expected examples directory.
  • Access log entries showing repeated /read-examples requests from a single source with varying filename parameters.
  • Outbound reconnaissance from AgentScope hosts following suspicious /read-examples traffic.

Detection Strategies

  • Deploy web application firewall rules that block path traversal patterns in request bodies targeting /read-examples.
  • Enable verbose HTTP request logging on AgentScope services and forward logs to a centralized analytics platform for pattern matching.
  • Alert on any /read-examples request whose payload contains .., backslashes, or absolute path prefixes.

Monitoring Recommendations

  • Baseline normal /read-examples traffic volume and alert on deviations that suggest enumeration.
  • Monitor file access on AgentScope hosts for reads of sensitive JSON files by the AgentScope process user.
  • Correlate AgentScope HTTP logs with authentication events on adjacent systems to identify credential misuse after disclosure.

How to Mitigate CVE-2024-8524

Immediate Actions Required

  • Restrict network exposure of AgentScope 0.0.4 to trusted internal networks or behind authenticated reverse proxies.
  • Disable the /read-examples endpoint at the reverse proxy layer if the functionality is not required in production.
  • Rotate any credentials, API keys, or tokens stored in JSON files on affected hosts.
  • Review access logs for prior exploitation attempts against /read-examples.

Patch Information

No vendor advisory or fixed version is listed in the NVD entry at the time of publication. Consult the Modelscope AgentScope repository for the latest releases and upgrade beyond version 0.0.4 when a patched build is available. Review the Huntr bounty listing for vendor response status.

Workarounds

  • Place AgentScope behind an authenticating reverse proxy that rejects requests containing path traversal patterns.
  • Run AgentScope as an unprivileged user with filesystem access limited to the application directory using mandatory access controls.
  • Implement a request filter that canonicalizes the filename parameter and rejects any resolved path outside the examples directory.
  • Deploy AgentScope inside a container with a read-only root filesystem and minimal mounted secrets.
bash
# Example nginx rule to block traversal patterns targeting /read-examples
location /read-examples {
    if ($request_body ~* "\.\.(/|%2f|\\)") {
        return 403;
    }
    proxy_pass http://agentscope_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.