CVE-2024-8487

CVE-2024-8487 is a Cross-Origin Resource Sharing (CORS) vulnerability in modelscope/agentscope version v0.0.4. The flaw stems from improper CORS configuration on the agentscope server, which fails to restrict access to only trusted origins. This allows any external domain to make requests to the API, potentially leading to unauthorized data access, information disclosure, and further exploitation that compromises the system's integrity and confidentiality. The vulnerability is rated with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-346 (Origin Validation Error).

The vulnerability can be exploited remotely over the network by any unauthenticated attacker with no privileges required and no user interaction needed. Attackers can leverage the misconfigured CORS policy to bypass origin restrictions, enabling cross-origin requests from malicious websites or scripts. Successful exploitation grants high-impact access to sensitive data, allows modification of resources (integrity impact), and disrupts service availability, facilitating broader compromise of the affected agentscope deployment.

Advisories and details on the vulnerability are documented in the Huntr bounty report at https://huntr.com/bounties/7aca7507-a94e-4e63-83a2-15648e5c4067, which disclosed the issue originally. The CVE was published on 2025-03-20T10:15:42.360.