提交 #792226: AgentScope <= 1.0.18 Server-Side Request Forgery (CWE-918)信息

标题	AgentScope <= 1.0.18 Server-Side Request Forgery (CWE-918)
描述	# Technical Details A Blind Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI) vulnerability exists in the `_process_audio_block` method in `src/agentscope/agent/_agent_base.py` of AgentScope, which also leads to a severe Denial of Service (DoS). When an audio content block is processed, the application uses `urllib.request.urlopen(url)` to fetch the audio, which natively supports the `file://` protocol. Furthermore, it calls `.read()` on the response without any bounds checking or size limits. # Vulnerable Code File: src/agentscope/agent/_agent_base.py Method: _process_audio_block Why: The method extracts the URL from the audio block construct (`audio_block["source"]["url"]`), performs zero validation, and directly fetches it using the standard `urllib.request.urlopen()`. The fetched data is entirely read into memory at once via `response.read()` before being passed to `wave.open()` and `sounddevice`. # Reproduction 1. Deploy an AgentScope application with a ReActAgent that handles audio content blocks. 2. An attacker provides input that influences the agent to generate a message with a malicious audio block, or the attacker injects the block directly. 3. For file existence probing (LFI/Blind SSRF), use a payload URL like `file://[etc]/passwd`. The server reads the file natively and fails during the `wave.open()` parsing phase, creating an observable error-handling differential to verify file existence. 4. For Denial of Service, use a payload URL pointing to an infinite stream, such as `file://[dev]/urandom` or `file://[dev]/zero`. The `.read()` function will execute indefinitely, consuming memory at approximately ~100MB/s until the Linux OOM killer crashes the application. # Impact - Denial of Service (Reliable, single-request arbitrary process crash via unbounded memory consumption of [/dev/urandom](cci:7://file:///dev/urandom:0:0-0:0)). - Local File Inclusion / File Existence Probing (Attacker can probe the internal file system). - Blind Server-Side Request Forgery (Probing internal HTTP targets relying on timing differentials).
来源	⚠️ https://gist.github.com/YLChen-007/4e589eec07446726612dc416a7d80820
用户	Eric-f (UID 96873)
提交	2026-03-29 05時39分 (23 日前)
管理	2026-04-19 16時12分 (21 days later)
状态	已接受
VulDB条目	358241 [modelscope agentscope 直到 1.0.18 _agent_base.py _process_audio_block url 权限提升]
积分	20

◂ 上一步一览下一步 ▸

Do you need the next level of professionalism?

Upgrade your account now!