Path Traversal in modelscope/agentscope

Vulnerability

Description

A path traversal vulnerability exists in the save-workflow and load-workflow functionality of the modelscope/agentscope Python library prior to the fix [2]. The flaw allows an attacker to navigate outside the intended directory and read or write arbitrary JSON files on the filesystem. The vulnerable code resides in src/agentscope/studio/_app.py where user-supplied path inputs are not properly sanitized [3].

Attack

Vector & Exploitation

Exploitation does not require authentication if the workflow endpoints are exposed. An attacker can send crafted requests with directory traversal sequences (e.g., ../) in the workflow name or path parameter. The attacker can then read sensitive files like configuration files or API keys (.json format) or overwrite them with malicious JSON content. No special network position is needed beyond network access to the AgentScope service.

Impact

Successful exploitation leads to exposure or modification of sensitive information including API keys, hardcoded passwords, and other secrets stored in JSON files on the server [2]. This could result in privilege escalation, lateral movement, or compromise of connected services.

Mitigation

The issue is fixed in later versions of AgentScope. Users should update to the latest release. No workaround is publicly documented. The vulnerability does not appear on the CISA KEV list as of publication.