We use cookies to improve your experience on our site.
AVID-2026-R1622
Description
Path Traversal in modelscope/agentscope (CVE-2024-8551)
Details
A path traversal vulnerability exists in the save-workflow and load-workflow functionality of modelscope/agentscope versions prior to the fix. This vulnerability allows an attacker to read and write arbitrary JSON files on the filesystem, potentially leading to the exposure or modification of sensitive information such as configuration files, API keys, and hardcoded passwords.
Reason for inclusion in AVID: The CVE describes a path traversal vulnerability in modelscope/agentscope’s save-workflow and load-workflow, allowing an attacker to read and write arbitrary JSON files on the filesystem, potentially exposing or modifying sensitive information. This affects an AI software component used in AI pipelines, representing a software supply-chain issue for general-purpose AI systems. The vulnerability is security-related with clear impact (CWE-23, CVSS 3.0 base score 9.1). Evidence is provided in the CVE entry and CVSS details.
References
Affected or Relevant Artifacts
- Developer: modelscope
- Deployer: modelscope
- Artifact Details:
| Type | Name |
|---|---|
| System | modelscope/agentscope |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.0 |
| Vector String | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
| Base Score | 9.1 |
| Base Severity | 🔴 Critical |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | 🔴 High |
| Availability Impact | 🔴 High |
CWE
| ID | Description |
|---|---|
| CWE-23 | CWE-23 Relative Path Traversal |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2025-03-20
- Version: 0.3.3
- AVID Entry