Submit #792225: AgentScope <= 1.0.18 Server-Side Request Forgery (CWE-918)info

Titel	AgentScope <= 1.0.18 Server-Side Request Forgery (CWE-918)
Beschreibung	# Technical Details A Full (Non-Blind) Server-Side Request Forgery (SSRF) vulnerability exists in the multimodal content block formatters, specifically within `_get_bytes_from_web_url()` in `src/agentscope/_utils/_common.py` and `_to_openai_audio_data()` in `src/agentscope/formatter/_openai_formatter.py` of AgentScope. The application's multimodal content processing pipeline fetches URLs from user-supplied content blocks using `requests.get()` without any URL validation (no private IP blocking or scheme restrictions). The fetched response is base64-encoded and returned directly in the formatter output, enabling direct data exfiltration. # Vulnerable Code File: src/agentscope/_utils/_common.py and src/agentscope/formatter/_openai_formatter.py Method: _get_bytes_from_web_url, _to_openai_audio_data Why: When a `Msg` object contains audio, image, or video content blocks with a `url` source, the formatters execute `requests.get(url)` to retrieve the media for LLM API consumption. It then unconditionally returns `base64.b64encode(response.content).decode("ascii")` back to the user flow without validating whether the host resolves to an internal/private IP address. # Reproduction 1. Deploy an AgentScope application that accepts multimodal messages and formats them for an LLM API (such as OpenAI, Ollama, or Gemini). 2. Send an HTTP POST request with a crafted multimodal content block (e.g., an audio block) targeting a cloud metadata endpoint or internal API. For example, setting the URL to `http://x.x.x.x/latest/meta-data/iam/security-credentials/role.wav` (appending `.wav` bypasses basic extension checks). 3. The server performs the GET request to the internal/metadata address, fetches the secret data, base64 encodes it, and serializes it in the JSON response under `formatted_messages`. 4. The attacker decodes the base64 string from the API response to retrieve the sensitive data. # Impact - Direct Cloud Credential Theft (Full exfiltration of AWS/GCP/Azure IAM credentials from metadata endpoints) - Internal Service Data Exfiltration (Accessing internal APIs, databases, or admin panels) - Internal Network Reconnaissance and Port Scanning
Quelle	⚠️ https://gist.github.com/YLChen-007/ced2d438ae79a5a11cea663c1ba2c954
Benutzer	Eric-f (UID 96873)
Einreichung	29.03.2026 05:36 (vor 23 Tagen)
Moderieren	19.04.2026 16:12 (21 days later)
Status	Akzeptiert
VulDB Eintrag	358240 [modelscope agentscope bis 1.0.18 Internal Service _common.py _get_bytes_from_web_url erweiterte Rechte]
Punkte	20

◂ Zurück Übersicht Weiter ▸

Do you need the next level of professionalism?

Upgrade your account now!