VulnerableCode Package Details - pkg:pypi/agentscope@0.0.4

Search for packages

Vulnerability	Summary	Fixed by
VCID-1xmd-hhwq-xuay Aliases: CVE-2024-8501 GHSA-p6h7-hfj2-vmcf PYSEC-2025-82	An arbitrary file download vulnerability exists in the rpc_agent_client component of modelscope/agentscope version v0.0.4. This vulnerability allows any user to download any file from the rpc_agent's host by exploiting the download_file method. This can lead to unauthorized access to sensitive information, including configuration files, credentials, and potentially system files, which may facilitate further exploitation such as privilege escalation or lateral movement within the network.	There are no reported fixed by versions.
VCID-5dat-tj2v-23fv Aliases: CVE-2024-48050 GHSA-6p55-qr3j-mpgq PYSEC-2024-262	In agentscope <=v0.0.4, the file agentscope\web\workstation\workflow_utils.py has the function is_callable_expression. Within this function, the line result = eval(s) poses a security risk as it can directly execute user-provided commands.	0.0.5a1 Affected by 0 other vulnerabilities.
VCID-k2h8-kskt-2kfy Aliases: CVE-2024-8524 GHSA-6v28-q95m-93qr PYSEC-2025-83	A directory traversal vulnerability exists in modelscope/agentscope version 0.0.4. An attacker can exploit this vulnerability to read any local JSON file by sending a crafted POST request to the /read-examples endpoint.	There are no reported fixed by versions.
VCID-u1rv-r257-mfhx Aliases: CVE-2024-8487 GHSA-75v5-6885-59f9 PYSEC-2025-81	A Cross-Origin Resource Sharing (CORS) vulnerability exists in modelscope/agentscope version v0.0.4. The CORS configuration on the agentscope server does not properly restrict access to only trusted origins, allowing any external domain to make requests to the API. This can lead to unauthorized data access, information disclosure, and potential further exploitation, thereby compromising the integrity and confidentiality of the system.	There are no reported fixed by versions.
VCID-yff9-pv3a-q3fe Aliases: CVE-2024-8438 GHSA-f4hc-q562-cc5r PYSEC-2025-80	A path traversal vulnerability exists in modelscope/agentscope version v.0.0.4. The API endpoint `/api/file` does not properly sanitize the `path` parameter, allowing an attacker to read arbitrary files on the server.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-1xmd-hhwq-xuay
Aliases:
CVE-2024-8501
GHSA-p6h7-hfj2-vmcf
PYSEC-2025-82

An arbitrary file download vulnerability exists in the rpc_agent_client component of modelscope/agentscope version v0.0.4. This vulnerability allows any user to download any file from the rpc_agent's host by exploiting the download_file method. This can lead to unauthorized access to sensitive information, including configuration files, credentials, and potentially system files, which may facilitate further exploitation such as privilege escalation or lateral movement within the network.

There are no reported fixed by versions.

VCID-5dat-tj2v-23fv
Aliases:
CVE-2024-48050
GHSA-6p55-qr3j-mpgq
PYSEC-2024-262

In agentscope <=v0.0.4, the file agentscope\web\workstation\workflow_utils.py has the function is_callable_expression. Within this function, the line result = eval(s) poses a security risk as it can directly execute user-provided commands.

0.0.5a1
Affected by 0 other vulnerabilities.

VCID-k2h8-kskt-2kfy
Aliases:
CVE-2024-8524
GHSA-6v28-q95m-93qr
PYSEC-2025-83

A directory traversal vulnerability exists in modelscope/agentscope version 0.0.4. An attacker can exploit this vulnerability to read any local JSON file by sending a crafted POST request to the /read-examples endpoint.

There are no reported fixed by versions.

VCID-u1rv-r257-mfhx
Aliases:
CVE-2024-8487
GHSA-75v5-6885-59f9
PYSEC-2025-81

A Cross-Origin Resource Sharing (CORS) vulnerability exists in modelscope/agentscope version v0.0.4. The CORS configuration on the agentscope server does not properly restrict access to only trusted origins, allowing any external domain to make requests to the API. This can lead to unauthorized data access, information disclosure, and potential further exploitation, thereby compromising the integrity and confidentiality of the system.

There are no reported fixed by versions.

VCID-yff9-pv3a-q3fe
Aliases:
CVE-2024-8438
GHSA-f4hc-q562-cc5r
PYSEC-2025-80

A path traversal vulnerability exists in modelscope/agentscope version v.0.0.4. The API endpoint `/api/file` does not properly sanitize the `path` parameter, allowing an attacker to read arbitrary files on the server.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T16:23:37.690970+00:00	GitLab Importer	Affected by	VCID-k2h8-kskt-2kfy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/agentscope/CVE-2024-8524.yml	38.6.0
2026-06-04T16:23:36.451732+00:00	GitLab Importer	Affected by	VCID-1xmd-hhwq-xuay	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/agentscope/CVE-2024-8501.yml	38.6.0
2026-06-04T16:23:35.524128+00:00	GitLab Importer	Affected by	VCID-yff9-pv3a-q3fe	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/agentscope/CVE-2024-8438.yml	38.6.0
2026-06-04T16:23:34.387911+00:00	GitLab Importer	Affected by	VCID-u1rv-r257-mfhx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/agentscope/CVE-2024-8487.yml	38.6.0
2026-06-02T04:22:27.861913+00:00	Pypa Importer	Affected by	VCID-5dat-tj2v-23fv	https://github.com/pypa/advisory-database/blob/main/vulns/agentscope/PYSEC-2024-262.yaml	38.6.0