CVE-2024-8438: AgentScope Path Traversal in /api/file

March 20, 2025

A path traversal vulnerability exists in modelscope/agentscope version v.0.0.4. The API endpoint /api/file does not properly sanitize the path parameter, allowing an attacker to read arbitrary files on the server.

References

github.com/advisories/GHSA-f4hc-q562-cc5r
github.com/modelscope/agentscope
github.com/modelscope/agentscope/blob/af8e45ded37b3834c981473b309239e0102473d0/src/agentscope/studio/_app.py
huntr.com/bounties/3f170c58-42ee-422d-ab6f-32c7aa05b974
nvd.nist.gov/vuln/detail/CVE-2024-8438

Detect and mitigate CVE-2024-8438 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →