Submeter #792226: AgentScope <= 1.0.18 Server-Side Request Forgery (CWE-918)informação

Título	AgentScope <= 1.0.18 Server-Side Request Forgery (CWE-918)
Descrição	# Technical Details A Blind Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI) vulnerability exists in the `_process_audio_block` method in `src/agentscope/agent/_agent_base.py` of AgentScope, which also leads to a severe Denial of Service (DoS). When an audio content block is processed, the application uses `urllib.request.urlopen(url)` to fetch the audio, which natively supports the `file://` protocol. Furthermore, it calls `.read()` on the response without any bounds checking or size limits. # Vulnerable Code File: src/agentscope/agent/_agent_base.py Method: _process_audio_block Why: The method extracts the URL from the audio block construct (`audio_block["source"]["url"]`), performs zero validation, and directly fetches it using the standard `urllib.request.urlopen()`. The fetched data is entirely read into memory at once via `response.read()` before being passed to `wave.open()` and `sounddevice`. # Reproduction 1. Deploy an AgentScope application with a ReActAgent that handles audio content blocks. 2. An attacker provides input that influences the agent to generate a message with a malicious audio block, or the attacker injects the block directly. 3. For file existence probing (LFI/Blind SSRF), use a payload URL like `file://[etc]/passwd`. The server reads the file natively and fails during the `wave.open()` parsing phase, creating an observable error-handling differential to verify file existence. 4. For Denial of Service, use a payload URL pointing to an infinite stream, such as `file://[dev]/urandom` or `file://[dev]/zero`. The `.read()` function will execute indefinitely, consuming memory at approximately ~100MB/s until the Linux OOM killer crashes the application. # Impact - Denial of Service (Reliable, single-request arbitrary process crash via unbounded memory consumption of [/dev/urandom](cci:7://file:///dev/urandom:0:0-0:0)). - Local File Inclusion / File Existence Probing (Attacker can probe the internal file system). - Blind Server-Side Request Forgery (Probing internal HTTP targets relying on timing differentials).
Fonte	⚠️ https://gist.github.com/YLChen-007/4e589eec07446726612dc416a7d80820
Utilizador	Eric-f (UID 96873)
Submissão	29/03/2026 05h39 (há 23 dias)
Moderação	19/04/2026 16h12 (21 days later)
Estado	Aceite
Entrada VulDB	358241 [modelscope agentscope até 1.0.18 _agent_base.py _process_audio_block url Elevação de Privilégios]
Pontos	20

◂ Voltar Visão Geral Próximo ▸

Might our Artificial Intelligence support you?

Check our Alexa App!