{"id":"GHSA-6v28-q95m-93qr","summary":"AgentScope directory traversal vulnerability in /read-examples","details":"A directory traversal vulnerability exists in modelscope/agentscope version 0.0.4. An attacker can exploit this vulnerability to read any local JSON file by sending a crafted POST request to the /read-examples endpoint.","aliases":["CVE-2024-8524","PYSEC-2025-83"],"modified":"2026-06-05T14:30:13.778483464Z","published":"2025-03-20T12:32:48Z","database_specific":{"severity":"HIGH","github_reviewed_at":"2025-03-20T20:50:47Z","nvd_published_at":"2025-03-20T10:15:42Z","github_reviewed":true,"cwe_ids":["CWE-22","CWE-73"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-8524"},{"type":"PACKAGE","url":"https://github.com/modelscope/agentscope"},{"type":"WEB","url":"https://github.com/modelscope/agentscope/blob/af8e45ded37b3834c981473b309239e0102473d0/src/agentscope/studio/_app.py#L642"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/agentscope/PYSEC-2025-83.yaml"},{"type":"WEB","url":"https://huntr.com/bounties/cc4acf33-700d-4220-8a8a-db28f5c4cc8f"}],"affected":[{"package":{"name":"agentscope","ecosystem":"PyPI","purl":"pkg:pypi/agentscope"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"0.0.4"}]}],"versions":["0.0.1","0.0.2","0.0.3","0.0.4"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-6v28-q95m-93qr/GHSA-6v28-q95m-93qr.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}