Relative Path Traversal

CVE-2024-8551

High

9.1/10

Summary

A path traversal vulnerability exists in the "save-workflow" and "load-workflow" functionalities of modelscope/agentscope. This vulnerability allows an attacker to read and write arbitrary JSON files on the filesystem, potentially exposing or modifying sensitive information such as configuration files, API keys, and hardcoded passwords. This issue affects agentscope versions 0.1.0 and after.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-23 - Relative Path Traversal

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

References

Advisory
Disclosure

Advisory Timeline

Published Mar 20, 2025

Relative Path Traversal

CVE-2024-8551

Summary

CWE-23 - Relative Path Traversal

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS