VYPR
← All advisories
High severityNVD Advisory· Published Mar 20, 2025· Updated Oct 15, 2025

Directory Traversal in modelscope/agentscope

CVE-2024-8524

Description

A directory traversal vulnerability exists in modelscope/agentscope version 0.0.4. An attacker can exploit this vulnerability to read any local JSON file by sending a crafted POST request to the /read-examples endpoint.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A directory traversal in AgentScope 0.0.4 allows unauthenticated attackers to read arbitrary local JSON files via a crafted POST to /read-examples.

Vulnerability

Overview

CVE-2024-8524 describes a directory traversal vulnerability in AgentScope version 0.0.4, specifically within the /read-examples endpoint. The application fails to properly sanitize user-supplied file path input, enabling attackers to escape the intended examples directory [2][3].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted POST request to the /read-examples endpoint with a path parameter containing directory traversal sequences (e.g., ../). This allows the attacker to read any local JSON file on the server, regardless of its location [2][4].

Impact

Successful exploitation enables the attacker to read sensitive information stored in JSON files, such as configuration parameters, authentication tokens, or application data. This information leakage could be leveraged for further attacks against the system or its users [4].

Mitigation

The vulnerability affects AgentScope 0.0.4. Users are advised to update to a patched version or manually implement input validation to restrict file paths to the intended examples directory. The project maintainers have been notified, and a fix is available in later releases [1].

References
  1. GitHub - agentscope-ai/agentscope: Build and run agents you can see, understand and trust.
  2. NVD - CVE-2024-8524
  3. agentscope/src/agentscope/studio/_app.py at af8e45ded37b3834c981473b309239e0102473d0 · agentscope-ai/agentscope
  4. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
agentscopePyPI
<= 0.0.4

Affected products

3

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.