CVE-2024-8502

Name of the Vulnerable Software and Affected Versions modelscope/agentscope version 0.0.6a3

Description A vulnerability in the RpcAgentServerLauncher class allows for remote code execution (RCE) via deserialization of untrusted data using the dill library. The issue occurs in the AgentServerServicer.create agent method, where serialized input is deserialized using dill.loads, enabling an attacker to execute arbitrary commands on the server.

Recommendations For modelscope/agentscope version 0.0.6a3, consider disabling the AgentServerServicer.create agent method until a patch is available to prevent remote code execution. Restrict access to the RpcAgentServerLauncher class to minimize the risk of exploitation. Avoid using the dill.loads function to deserialize untrusted input in the affected API endpoint until the issue is resolved.