CVE-2024-8487 – This CVE describes a Cross-Origin Resource Shar... (How to Fix)

📋 TL;DR

This CVE describes a Cross-Origin Resource Sharing (CORS) misconfiguration in modelscope/agentscope v0.0.4 that allows any external domain to make requests to the API. This vulnerability enables unauthorized data access and information disclosure, potentially compromising system integrity and confidentiality. Anyone running the vulnerable version with the API exposed is affected.

💻 Affected Systems

Products:

modelscope/agentscope

Versions: v0.0.4

Operating Systems: all

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where the agentscope server API is accessible to external networks.

📦 What is this software?

Agentscope by Modelscope

View all CVEs affecting Agentscope →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could exfiltrate sensitive data, perform unauthorized actions through the API, and chain this with other vulnerabilities for complete system compromise.

🟠

Likely Case

Unauthorized data access and information disclosure through API endpoints, potentially exposing user data, configuration details, or internal system information.

🟢

If Mitigated

With proper CORS restrictions, only trusted origins can access the API, preventing cross-origin attacks while maintaining legitimate functionality.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only web browser access and knowledge of API endpoints. No authentication bypass needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.0.5 or later

Vendor Advisory: https://huntr.com/bounties/7aca7507-a94e-4e63-83a2-15648e5c4067

Restart Required: Yes

Instructions:

1. Update agentscope to v0.0.5 or later using pip: pip install --upgrade agentscope
2. Restart the agentscope server
3. Verify the CORS configuration restricts origins appropriately

🔧 Temporary Workarounds

Configure CORS restrictions

all

Manually configure CORS to only allow trusted origins

Edit agentscope server configuration to set allowed_origins to specific trusted domains

Network isolation

all

Restrict network access to agentscope server

Use firewall rules to limit access to trusted IPs only

🧯 If You Can't Patch

Implement reverse proxy with proper CORS headers
Restrict network access to only trusted IP addresses

🔍 How to Verify

Check if Vulnerable:

Check if agentscope server responds with Access-Control-Allow-Origin: * header to cross-origin requests

Check Version:

pip show agentscope | grep Version

Verify Fix Applied:

Verify cross-origin requests from untrusted domains are blocked and only trusted origins are allowed

📡 Detection & Monitoring

Log Indicators:

Multiple cross-origin requests from unusual domains
Failed CORS preflight requests

Network Indicators:

HTTP requests with Origin headers from untrusted domains
CORS preflight OPTIONS requests

SIEM Query:

http.method=OPTIONS AND http.headers.origin NOT IN ["trusted-domain1.com", "trusted-domain2.com"]

📊 Metadata

CVE ID: CVE-2024-8487

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-346

EPSS Score: 0.05% exploit probability (15th percentile)

Published: March 20, 2025

Last Updated: April 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8487, you might also want to check these: