{"id":"PYSEC-2025-80","details":"A path traversal vulnerability exists in modelscope/agentscope version v.0.0.4. The API endpoint `/api/file` does not properly sanitize the `path` parameter, allowing an attacker to read arbitrary files on the server.","aliases":["CVE-2024-8438","GHSA-f4hc-q562-cc5r"],"modified":"2026-06-10T17:00:08.699206014Z","published":"2025-03-20T10:15:42.240Z","references":[{"type":"EVIDENCE","url":"https://huntr.com/bounties/3f170c58-42ee-422d-ab6f-32c7aa05b974"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-f4hc-q562-cc5r"}],"affected":[{"package":{"name":"agentscope","ecosystem":"PyPI","purl":"pkg:pypi/agentscope"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"0.0.4"}]}],"versions":["0.0.1","0.0.2","0.0.3","0.0.4"],"ecosystem_specific":{},"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/agentscope/PYSEC-2025-80.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}