CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-8489: CSRF due to overly permissive CORS headers in modelscope/agentscope

8.8 CVSS

Description

A vulnerability in modelscope/agentscope, specifically in the AgentScope Studio backend server, allows for Cross-Site Request Forgery (CSRF) due to overly permissive CORS headers. This issue affects the latest commit on the main branch (21161fe). The vulnerability permits an attacker to access all backend endpoints, including the `api/file` endpoint, enabling the reading of arbitrary files on the target's local file system through CSRF.

Classification

CVE ID: CVE-2024-8489

CVSS Base Severity: HIGH

CVSS Base Score: 8.8

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem Types

CWE-352 Cross-Site Request Forgery (CSRF)

Affected Products

Vendor: modelscope

Product: modelscope/agentscope

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 3.62% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-8489
https://huntr.com/bounties/93195bf0-9ac2-4476-a2ea-7c9364727e8c

Timeline

2025-03-20 11:40:38 UTC
CVE

CSRF due to overly permissive CORS headers in modelscope/agentscope