CVE-2024-8502
published 2025-03-20CVE-2024-8502: A vulnerability in the RpcAgentServerLauncher class of modelscope/agentscope v0.0.6a3 allows for remote code execution (RCE) via deserialization of untrusted…
PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
1.63%
73.3th percentile
A vulnerability in the RpcAgentServerLauncher class of modelscope/agentscope v0.0.6a3 allows for remote code execution (RCE) via deserialization of untrusted data using the dill library. The issue occurs in the AgentServerServicer.create_agent method, where serialized input is deserialized using dill.loads, enabling an attacker to execute arbitrary commands on the server.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| modelscope | agentscope | 0 – 0.0.6a3 | — |
| modelscope | modelscope_agentscope | unspecified – latest | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
AgentScope Deserialization Vulnerability
ghsa·2025-03-20
CVE-2024-8502 [CRITICAL] CWE-502 AgentScope Deserialization Vulnerability
AgentScope Deserialization Vulnerability
A vulnerability in the RpcAgentServerLauncher class of modelscope/agentscope v0.0.6a3 allows for remote code execution (RCE) via deserialization of untrusted data using the dill library. The issue occurs in the AgentServerServicer.create_agent method, where serialized input is deserialized using dill.loads, enabling an attacker to execute arbitrary commands on the server.
OSV
AgentScope Deserialization Vulnerability
osv·2025-03-20
CVE-2024-8502 [CRITICAL] AgentScope Deserialization Vulnerability
AgentScope Deserialization Vulnerability
A vulnerability in the RpcAgentServerLauncher class of modelscope/agentscope v0.0.6a3 allows for remote code execution (RCE) via deserialization of untrusted data using the dill library. The issue occurs in the AgentServerServicer.create_agent method, where serialized input is deserialized using dill.loads, enabling an attacker to execute arbitrary commands on the server.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-20
Published