CVE-2024-8502

A vulnerability in the RpcAgentServerLauncher class of modelscope/agentscope v0.0.6a3 allows for remote code execution (RCE) via deserialization of untrusted data using the dill library. The issue occurs in the AgentServerServicer.create_agent method, where serialized input is deserialized using dill.loads, enabling an attacker to execute arbitrary commands on the server.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/7a42da2a-2ae5-442d-aff9-c9a3b47870eb

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad en la clase RpcAgentServerLauncher de modelscope/agentscope v0.0.6a3 permite la ejecución remota de código (RCE) mediante la deserialización de datos no confiables mediante la librería dill. El problema se produce en el método AgentServerServicer.create_agent, donde la entrada serializada se deserializa mediante dill.loads, lo que permite a un atacante ejecutar comandos arbitrarios en el servidor.

20 Mar 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-20 10:15

Updated : 2026-04-15 00:35

NVD link : CVE-2024-8502

Mitre link : CVE-2024-8502

CVE.ORG link : CVE-2024-8502

JSON object : View

Products Affected

No product.

CWE

CWE-502

Deserialization of Untrusted Data

9.8 /10