CVE-2024-8551: Path Traversal in modelscope/agentscope

9.1 CVSS

Description

A path traversal vulnerability exists in the save-workflow and load-workflow functionality of modelscope/agentscope versions prior to the fix. This vulnerability allows an attacker to read and write arbitrary JSON files on the filesystem, potentially leading to the exposure or modification of sensitive information such as configuration files, API keys, and hardcoded passwords.

Classification

CVE ID: CVE-2024-8551

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.1

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Problem Types

CWE-23 Relative Path Traversal

Affected Products

Vendor: modelscope

Product: modelscope/agentscope

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.08% (probability of being exploited)

EPSS Percentile: 25.08% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-8551
https://huntr.com/bounties/e0c0c294-f1e2-4f2c-a632-a9be9fd06989

Timeline

2025-03-20 11:40:40 UTC
CVE

Path Traversal in modelscope/agentscope