Skip to main content

Agentscope CVE-2024-48050

CRITICAL
Code Injection (CWE-94)
2024-11-04 cve@mitre.org
9.8
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (mitre) · only source for this CVE.

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Nov 04, 2024 - 23:15 cve.org
CRITICAL 9.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 pypi packages depend on agentscope (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.1.0.

DescriptionCVE.org

In agentscope <=v0.0.4, the file agentscope\web\workstation\workflow_utils.py has the function is_callable_expression. Within this function, the line result = eval(s) poses a security risk as it can directly execute user-provided commands.

AnalysisAI

In agentscope <=v0.0.4, the file agentscope\web\workstation\workflow_utils.py has the function is_callable_expression. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Code Injection (CWE-94), which allows attackers to inject and execute arbitrary code within the application. In agentscope <=v0.0.4, the file agentscope\web\workstation\workflow_utils.py has the function is_callable_expression. Within this function, the line result = eval(s) poses a security risk as it can directly execute user-provided commands. Affected products include: Modelscope Agentscope.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Never evaluate user-controlled input as code. Use sandboxing, disable dangerous functions, apply strict input validation.

CVE-2024-8537 CRITICAL POC
9.1 Mar 20

A path traversal vulnerability exists in the modelscope/agentscope application, affecting all versions. Rated critical s

CVE-2024-8551 CRITICAL POC
9.1 Mar 20

A path traversal vulnerability exists in the save-workflow and load-workflow functionality of modelscope/agentscope vers

CVE-2024-8501 HIGH POC
8.8 Mar 20

An arbitrary file download vulnerability exists in the rpc_agent_client component of modelscope/agentscope version v0.0.

CVE-2024-8524 HIGH POC
7.5 Mar 20

A directory traversal vulnerability exists in modelscope/agentscope version 0.0.4. Rated high severity (CVSS 7.5), this

CVE-2024-8438 HIGH POC
7.5 Mar 20

A path traversal vulnerability exists in modelscope/agentscope version v.0.0.4. Rated high severity (CVSS 7.5), this vul

CVE-2026-6603 MEDIUM POC
5.5 Apr 20

Remote code execution in ModelScope AgentScope up to version 1.0.18 allows unauthenticated network attackers to inject a

CVE-2026-6606 MEDIUM POC
5.5 Apr 20

Modelscope AgentScope versions up to 1.0.18 contain a server-side request forgery (SSRF) vulnerability in the _process_a

CVE-2026-6605 MEDIUM POC
5.5 Apr 20

Server-side request forgery in ModelScope AgentScope up to version 1.0.18 allows remote unauthenticated attackers to man

CVE-2026-6604 MEDIUM POC
5.5 Apr 20

Server-side request forgery (SSRF) in ModelScope AgentScope up to version 1.0.18 allows remote unauthenticated attackers

CVE-2024-8556 MEDIUM POC
6.1 Mar 20

A stored cross-site scripting (XSS) vulnerability exists in modelscope/agentscope, as of the latest commit 21161fe on th

CVE-2024-8487 CRITICAL POC
9.8 Mar 20

A Cross-Origin Resource Sharing (CORS) vulnerability exists in modelscope/agentscope version v0.0.4. Rated critical seve

CVE-2024-8550 HIGH POC
7.5 Feb 10

A Local File Inclusion (LFI) vulnerability exists in the /load-workflow endpoint of modelscope/agentscope version v0.0.4

Share

CVE-2024-48050 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy