Path Traversal in modelscope/agentscope
Description
A path traversal vulnerability exists in the modelscope/agentscope application, affecting all versions. The vulnerability is present in the /delete-workflow endpoint, allowing an attacker to delete arbitrary files from the filesystem. This issue arises due to improper input validation, enabling the attacker to manipulate file paths and delete sensitive files outside of the intended directory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A path traversal vulnerability in the /delete-workflow endpoint of modelscope/agentscope allows arbitrary file deletion due to improper input validation.
Root
Cause A path traversal vulnerability exists in the /delete-workflow endpoint of the modelscope/agentscope application, affecting all versions. The issue arises from improper input validation of user-supplied filenames, allowing an attacker to manipulate file paths and delete sensitive files outside of the intended directory. The vulnerability stems from insufficient checks on the filename parameter, enabling path traversal sequences like ../ to reference arbitrary locations on the filesystem [2][3].
Exploitation
Exploitation requires network access to the AgentScope application and the ability to send HTTP requests to the /delete-workflow endpoint. An attacker can craft a request with a malicious filename containing path traversal sequences (e.g., ../../etc/passwd). No authentication is mentioned as a prerequisite, making the vulnerability accessible to any unauthenticated user who can reach the endpoint [2][3].
Impact
Successful exploitation allows an attacker to delete arbitrary files on the server. This can lead to data loss, service disruption, or potential compromise of the application if critical configuration files, databases, or executables are removed. The severity is high due to the potential for irreversible damage [2].
Mitigation
The vendor has addressed the vulnerability in a commit [4] that adds two critical checks: first, it verifies that the filename ends with .json, restricting deletions to only JSON files; second, it uses os.path.basename() to strip any directory components from the filename, effectively preventing path traversal. Users are advised to update to the latest version of AgentScope that includes this fix [1][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
agentscopePyPI | <= 0.1.1 | — |
Affected products
3- modelscope/modelscope/agentscopev5Range: unspecified
Patches
17d285e862f86Update delete_workflow (#459)
1 file changed · +5 −0
src/agentscope/studio/_app.py+5 −0 modified@@ -764,6 +764,11 @@ def _delete_workflow() -> Response: if not filename: return jsonify({"error": "Filename is required"}) + if not filename.endswith(".json"): + return jsonify({"error": "Only JSON files can be deleted"}) + + filename = os.path.basename(filename) + filepath = os.path.join(user_dir, filename) if not os.path.exists(filepath): return jsonify({"error": "File not found"})
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-c4cc-w454-4634ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-8537ghsaADVISORY
- github.com/modelscope/agentscope/blob/01530ee6a99c86426aab1be11ec3b3b86ca640ac/src/agentscope/studio/_app.pyghsaWEB
- github.com/modelscope/agentscope/commit/7d285e862f86fa1d96ed04c4cd40a5f1b8f9189aghsaWEB
- github.com/modelscope/agentscope/pull/459ghsaWEB
- huntr.com/bounties/eeb8aa4b-e6e5-465c-b0dd-aa97e3b7dc09ghsaWEB
News mentions
0No linked articles in our index yet.