CVE-2024-48050

Vulnerability

In agentscope versions up to and including v0.0.4, the is_callable_expression function in agentscope\web\workstation\workflow_utils.py contains a critical security flaw. The function uses the Python eval() built-in on user-provided input without any sanitization, as seen in the line result = eval(s) [1][2][3]. This allows arbitrary Python code to be executed in the context of the server.

Exploitation

The vulnerability is remotely exploitable and does not require authentication [2]. An attacker can craft a malicious input string containing Python code that, when passed to the is_callable_expression function, is executed directly by the eval() call. The exact attack vector depends on how the function is invoked in the web workflow interface, but the unsanitized eval provides a straightforward path for code injection.

Impact

Successful exploitation grants the attacker the ability to execute arbitrary commands on the server [2][3]. This can lead to full system compromise, data exfiltration, lateral movement within the network, or further attacks. Given the lack of authentication checks required, the severity is critical.

Mitigation

As of the disclosure date (November 2024), the vulnerability exists in all versions up to and including v0.0.4, which is still the latest version [2]. No patch has been released. Users should consider disabling any online or public-facing access to the affected workflow functionality until a fix is available. The vendor has not yet acknowledged the issue, and no workaround beyond blocking external access has been published.