CVE-2024-8537 CRITICAL

CVE-2024-8537: Path Traversal in modelscope/agentscope

Vendor Modelscope
Product modelscope/agentscope
Weakness CWE-29
Published March 20, 2025
Last update March 20, 2025

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

A path traversal vulnerability exists in the modelscope/agentscope application, affecting all versions. The vulnerability is present in the /delete-workflow endpoint, allowing an attacker to delete arbitrary files from the filesystem. This issue arises due to improper input validation, enabling the attacker to manipulate file paths and delete sensitive files outside of the intended directory.

Key dates

02Disclosure timeline

March 20, 2025 CVE published
March 20, 2025 Record updated