Skip to main content

Agentscope CVE-2024-8537

CRITICAL
Path Traversal: '\\..\\filename' (CWE-29)
2025-03-20 security@huntr.dev
9.1
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 28, 2026 - 18:32 vuln.today
PoC Detected
Aug 01, 2025 - 01:50 vuln.today
Public exploit code
CVE Published
Mar 20, 2025 - 10:15 nvd
CRITICAL 9.1

DescriptionCVE.org

A path traversal vulnerability exists in the modelscope/agentscope application, affecting all versions. The vulnerability is present in the /delete-workflow endpoint, allowing an attacker to delete arbitrary files from the filesystem. This issue arises due to improper input validation, enabling the attacker to manipulate file paths and delete sensitive files outside of the intended directory.

AnalysisAI

A path traversal vulnerability exists in the modelscope/agentscope application, affecting all versions. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-29. A path traversal vulnerability exists in the modelscope/agentscope application, affecting all versions. The vulnerability is present in the /delete-workflow endpoint, allowing an attacker to delete arbitrary files from the filesystem. This issue arises due to improper input validation, enabling the attacker to manipulate file paths and delete sensitive files outside of the intended directory. Affected products include: Modelscope Agentscope.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2024-48050 CRITICAL POC
9.8 Nov 04

In agentscope <=v0.0.4, the file agentscope\web\workstation\workflow_utils.py has the function is_callable_expression. R

CVE-2024-8551 CRITICAL POC
9.1 Mar 20

A path traversal vulnerability exists in the save-workflow and load-workflow functionality of modelscope/agentscope vers

CVE-2024-8501 HIGH POC
8.8 Mar 20

An arbitrary file download vulnerability exists in the rpc_agent_client component of modelscope/agentscope version v0.0.

CVE-2024-8524 HIGH POC
7.5 Mar 20

A directory traversal vulnerability exists in modelscope/agentscope version 0.0.4. Rated high severity (CVSS 7.5), this

CVE-2024-8438 HIGH POC
7.5 Mar 20

A path traversal vulnerability exists in modelscope/agentscope version v.0.0.4. Rated high severity (CVSS 7.5), this vul

CVE-2026-6603 MEDIUM POC
5.5 Apr 20

Remote code execution in ModelScope AgentScope up to version 1.0.18 allows unauthenticated network attackers to inject a

CVE-2026-6606 MEDIUM POC
5.5 Apr 20

Modelscope AgentScope versions up to 1.0.18 contain a server-side request forgery (SSRF) vulnerability in the _process_a

CVE-2026-6605 MEDIUM POC
5.5 Apr 20

Server-side request forgery in ModelScope AgentScope up to version 1.0.18 allows remote unauthenticated attackers to man

CVE-2026-6604 MEDIUM POC
5.5 Apr 20

Server-side request forgery (SSRF) in ModelScope AgentScope up to version 1.0.18 allows remote unauthenticated attackers

CVE-2024-8556 MEDIUM POC
6.1 Mar 20

A stored cross-site scripting (XSS) vulnerability exists in modelscope/agentscope, as of the latest commit 21161fe on th

CVE-2024-8487 CRITICAL POC
9.8 Mar 20

A Cross-Origin Resource Sharing (CORS) vulnerability exists in modelscope/agentscope version v0.0.4. Rated critical seve

CVE-2024-8550 HIGH POC
7.5 Feb 10

A Local File Inclusion (LFI) vulnerability exists in the /load-workflow endpoint of modelscope/agentscope version v0.0.4

Share

CVE-2024-8537 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy