提交 #792225: AgentScope <= 1.0.18 Server-Side Request Forgery (CWE-918)信息

标题	AgentScope <= 1.0.18 Server-Side Request Forgery (CWE-918)
描述	# Technical Details A Full (Non-Blind) Server-Side Request Forgery (SSRF) vulnerability exists in the multimodal content block formatters, specifically within `_get_bytes_from_web_url()` in `src/agentscope/_utils/_common.py` and `_to_openai_audio_data()` in `src/agentscope/formatter/_openai_formatter.py` of AgentScope. The application's multimodal content processing pipeline fetches URLs from user-supplied content blocks using `requests.get()` without any URL validation (no private IP blocking or scheme restrictions). The fetched response is base64-encoded and returned directly in the formatter output, enabling direct data exfiltration. # Vulnerable Code File: src/agentscope/_utils/_common.py and src/agentscope/formatter/_openai_formatter.py Method: _get_bytes_from_web_url, _to_openai_audio_data Why: When a `Msg` object contains audio, image, or video content blocks with a `url` source, the formatters execute `requests.get(url)` to retrieve the media for LLM API consumption. It then unconditionally returns `base64.b64encode(response.content).decode("ascii")` back to the user flow without validating whether the host resolves to an internal/private IP address. # Reproduction 1. Deploy an AgentScope application that accepts multimodal messages and formats them for an LLM API (such as OpenAI, Ollama, or Gemini). 2. Send an HTTP POST request with a crafted multimodal content block (e.g., an audio block) targeting a cloud metadata endpoint or internal API. For example, setting the URL to `http://x.x.x.x/latest/meta-data/iam/security-credentials/role.wav` (appending `.wav` bypasses basic extension checks). 3. The server performs the GET request to the internal/metadata address, fetches the secret data, base64 encodes it, and serializes it in the JSON response under `formatted_messages`. 4. The attacker decodes the base64 string from the API response to retrieve the sensitive data. # Impact - Direct Cloud Credential Theft (Full exfiltration of AWS/GCP/Azure IAM credentials from metadata endpoints) - Internal Service Data Exfiltration (Accessing internal APIs, databases, or admin panels) - Internal Network Reconnaissance and Port Scanning
来源	⚠️ https://gist.github.com/YLChen-007/ced2d438ae79a5a11cea663c1ba2c954
用户	Eric-f (UID 96873)
提交	2026-03-29 05時36分 (23 日前)
管理	2026-04-19 16時12分 (21 days later)
状态	已接受
VulDB条目	358240 [modelscope agentscope 直到 1.0.18 Internal Service _common.py _get_bytes_from_web_url 权限提升]
积分	20

◂ 上一步一览下一步 ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!