CVE-2024-8501

HighPublic PoC

Published: 20 March 2025

Published

20 March 2025

Modified

01 April 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0052 66.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-8501 is a high-severity Absolute Path Traversal (CWE-36) vulnerability in Modelscope Agentscope. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 33.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates the file path input to the download_file method to block absolute path traversal and prevent unauthorized file downloads from the host.

AC-3 Access Enforcement good match

prevent

Enforces approved access authorizations to ensure low-privilege users cannot download arbitrary sensitive files from the rpc_agent host.

AC-6 Least Privilege partial match

prevent

Limits user privileges to the minimum necessary, reducing the scope of accessible sensitive files even if the download_file method is exploited.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Arbitrary file download via path traversal directly enables retrieval of sensitive data from the local system (T1005) and unsecured credentials stored in files (T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

An arbitrary file download vulnerability exists in the rpc_agent_client component of modelscope/agentscope version v0.0.4. This vulnerability allows any user to download any file from the rpc_agent's host by exploiting the download_file method. This can lead to unauthorized access to sensitive…

information, including configuration files, credentials, and potentially system files, which may facilitate further exploitation such as privilege escalation or lateral movement within the network.

Deeper analysisAI

CVE-2024-8501 is an arbitrary file download vulnerability in the rpc_agent_client component of modelscope/agentscope version v0.0.4. The issue stems from the download_file method, which permits any user to retrieve arbitrary files from the rpc_agent's host, potentially exposing sensitive information such as configuration files, credentials, and system files.

The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-36 (Absolute Path Traversal). It can be exploited remotely by any user with low privileges over the network without requiring user interaction, enabling high-impact unauthorized access that could facilitate further attacks like privilege escalation or lateral movement within a network.

Details on the vulnerability, including potential mitigations, are available in the advisory published via the Huntr bounty program at https://huntr.com/bounties/83e433c0-ed2d-4b10-8358-d3c1eee0a47c. The CVE was published on 2025-03-20.