We use cookies to improve your experience on our site.
AVID-2026-R1619
Description
CORS Vulnerability in modelscope/agentscope (CVE-2024-8487)
Details
A Cross-Origin Resource Sharing (CORS) vulnerability exists in modelscope/agentscope version v0.0.4. The CORS configuration on the agentscope server does not properly restrict access to only trusted origins, allowing any external domain to make requests to the API. This can lead to unauthorized data access, information disclosure, and potential further exploitation, thereby compromising the integrity and confidentiality of the system.
Reason for inclusion in AVID: CVE-2024-8487 documents a CORS misconfiguration in modelscope/agentscope, an AI-serving component. This affects software used in building/deploying AI systems, with high confidentiality impact and network-based exploitation, providing sufficient evidence to consider it a software supply-chain vulnerability in general-purpose AI stacks.
References
Affected or Relevant Artifacts
- Developer: modelscope
- Deployer: modelscope
- Artifact Details:
| Type | Name |
|---|---|
| System | modelscope/agentscope |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.0 |
| Vector String | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N |
| Base Score | 7.4 |
| Base Severity | 🔴 High |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | REQUIRED |
| Scope | CHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | NONE |
| Availability Impact | NONE |
CWE
| ID | Description |
|---|---|
| CWE-346 | CWE-346 Origin Validation Error |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2025-03-20
- Version: 0.3.3
- AVID Entry