CVE-2024-8438 – A path traversal vulnerability in modelscope/ag... (How to Fix)

Q: What is the severity of CVE-2024-8438?

CVE-2024-8438 has a CVSS score of 7.5 (HIGH). A path traversal vulnerability in modelscope/agentscope v0.0.4 allows attackers to read arbitrary files on the server by manipulating the 'path' parameter in the /api/file endpoint. This affects all deployments using the vulnerable version of the agentscope framework.

📋 TL;DR

A path traversal vulnerability in modelscope/agentscope v0.0.4 allows attackers to read arbitrary files on the server by manipulating the 'path' parameter in the /api/file endpoint. This affects all deployments using the vulnerable version of the agentscope framework.

💻 Affected Systems

Products:

modelscope/agentscope

Versions: v0.0.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments with the /api/file endpoint exposed and accessible.

📦 What is this software?

Agentscope by Modelscope

View all CVEs affecting Agentscope →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through reading sensitive files like SSH keys, configuration files, or database credentials, potentially leading to lateral movement and data exfiltration.

🟠

Likely Case

Unauthorized access to sensitive configuration files, source code, or user data stored on the server filesystem.

🟢

If Mitigated

Limited impact if proper file permissions restrict access to sensitive directories and files.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires knowledge of the API endpoint and ability to craft HTTP requests with path traversal sequences.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.0.5 or later

Vendor Advisory: https://huntr.com/bounties/3f170c58-42ee-422d-ab6f-32c7aa05b974

Restart Required: No

Instructions:

1. Update agentscope to v0.0.5 or later using pip install --upgrade agentscope. 2. Verify the update with pip show agentscope. 3. Test the /api/file endpoint with traversal attempts to confirm fix.

🔧 Temporary Workarounds

Input Validation Middleware

all

Add input validation to sanitize the 'path' parameter before processing

Implement path normalization and validation in your application code

Web Application Firewall

all

Configure WAF rules to block path traversal patterns

Add rule to block requests containing '../', '..\\', or absolute paths in path parameter

🧯 If You Can't Patch

Restrict access to the /api/file endpoint using network ACLs or authentication
Implement strict file system permissions to limit readable directories

🔍 How to Verify

Check if Vulnerable:

Test the /api/file endpoint with a path parameter containing '../etc/passwd' or similar traversal sequences

Check Version:

pip show agentscope | grep Version

Verify Fix Applied:

Attempt the same traversal attack after patching; should return error or sanitized path

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /api/file with '..' sequences in parameters
Unusual file access patterns from web application logs

Network Indicators:

HTTP requests with path traversal patterns in URL parameters

SIEM Query:

source="web_logs" AND uri_path="/api/file" AND (param_path="*..*" OR param_path="*../*")

📊 Metadata

CVE ID: CVE-2024-8438

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

EPSS Score: 0.19% exploit probability (41.1th percentile)

Published: March 20, 2025

Last Updated: August 1, 2025

🔗 References

https://huntr.com/bounties/3f170c58-42ee-422d-ab6f-32c7aa05b974 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8438, you might also want to check these: