CVE-2024-8537 — AgentScope path traversal vulnerability

Description

A path traversal vulnerability exists in the modelscope/agentscope application, affecting all versions. The vulnerability is present in the /delete-workflow endpoint, allowing an attacker to delete arbitrary files from the filesystem. This issue arises due to improper input validation, enabling the attacker to manipulate file paths and delete sensitive files outside of the intended directory.

How to fix CVE-2024-8537

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2024-8537 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 0.1.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-8537
PATCHgithub.com/modelscope/agentscope
WEBgithub.com/modelscope/agentscope/blob/01530ee6a99c86426aab1be11ec3b3b86ca640ac/src/agentscope/studio/_app.py#L743
WEBgithub.com/modelscope/agentscope/commit/7d285e862f86fa1d96ed04c4cd40a5f1b8f9189a