<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Agentscope - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/agentscope/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 10 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/agentscope/feed.xml" rel="self" type="application/rss+xml"/><item><title>modelscope agentscope Server-Side Request Forgery Vulnerability (CVE-2026-6604)</title><link>https://feed.craftedsignal.io/briefs/2024-01-agentscope-ssrf/</link><pubDate>Wed, 10 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-agentscope-ssrf/</guid><description>A server-side request forgery vulnerability (CVE-2026-6604) exists in modelscope agentscope up to version 1.0.18, allowing remote attackers to manipulate the image_url or audio_file_url arguments to perform SSRF attacks via the Cloud Metadata Endpoint component.</description><content:encoded><![CDATA[<p>A server-side request forgery (SSRF) vulnerability, identified as CVE-2026-6604, affects modelscope agentscope versions up to 1.0.18. The vulnerability resides within the <code>_parse_url</code>, <code>prepare_image</code>, and <code>openai_audio_to_text</code> functions of the <code>src/agentscope/tool/_multi_modality/_openai_tools.py</code> file, specifically impacting the Cloud Metadata Endpoint component. This flaw allows remote attackers to manipulate the <code>image_url</code> or <code>audio_file_url</code> arguments, potentially enabling them to make arbitrary HTTP requests from the affected server. The exploit is publicly available, increasing the risk of exploitation. The vendor was contacted, but did not respond.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a vulnerable modelscope agentscope instance running version 1.0.18 or earlier.</li>
<li>The attacker crafts a malicious request targeting the <code>_parse_url</code>, <code>prepare_image</code>, or <code>openai_audio_to_text</code> functions within <code>src/agentscope/tool/_multi_modality/_openai_tools.py</code>.</li>
<li>The malicious request includes a manipulated <code>image_url</code> or <code>audio_file_url</code> parameter pointing to an internal or external resource controlled by the attacker.</li>
<li>The agentscope application processes the request and attempts to retrieve the resource specified in the manipulated URL.</li>
<li>Due to the SSRF vulnerability, the server makes an HTTP request to the attacker-controlled resource, potentially bypassing firewalls or other security controls.</li>
<li>The attacker's server receives the request from the vulnerable agentscope instance.</li>
<li>The attacker can then use the agentscope instance as a proxy to access internal resources or perform other malicious actions.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this SSRF vulnerability (CVE-2026-6604) could allow an attacker to access sensitive information on the internal network, perform unauthorized actions on behalf of the server, or potentially escalate privileges. Depending on the configuration and network topology, the attacker could potentially gain access to other systems and data within the organization's infrastructure. This can lead to data breaches, service disruptions, and other security incidents.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade modelscope agentscope to a patched version beyond 1.0.18 to remediate CVE-2026-6604.</li>
<li>Implement input validation and sanitization on the <code>image_url</code> and <code>audio_file_url</code> parameters to prevent manipulation (reference the vulnerability description).</li>
<li>Monitor web server logs for suspicious requests targeting the <code>_parse_url</code>, <code>prepare_image</code>, and <code>openai_audio_to_text</code> functions in <code>src/agentscope/tool/_multi_modality/_openai_tools.py</code> (reference the attack chain).</li>
<li>Deploy the Sigma rules provided to detect potential exploitation attempts in your environment.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>ssrf</category><category>cve-2026-6604</category><category>modelscope</category><category>agentscope</category></item></channel></rss>