{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/modelscope/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["agentscope"],"_cs_severities":["high"],"_cs_tags":["ssrf","cve-2026-6604","modelscope","agentscope"],"_cs_type":"advisory","_cs_vendors":["ModelScope"],"content_html":"\u003cp\u003eA server-side request forgery (SSRF) vulnerability, identified as CVE-2026-6604, affects modelscope agentscope versions up to 1.0.18. The vulnerability resides within the \u003ccode\u003e_parse_url\u003c/code\u003e, \u003ccode\u003eprepare_image\u003c/code\u003e, and \u003ccode\u003eopenai_audio_to_text\u003c/code\u003e functions of the \u003ccode\u003esrc/agentscope/tool/_multi_modality/_openai_tools.py\u003c/code\u003e file, specifically impacting the Cloud Metadata Endpoint component. This flaw allows remote attackers to manipulate the \u003ccode\u003eimage_url\u003c/code\u003e or \u003ccode\u003eaudio_file_url\u003c/code\u003e arguments, potentially enabling them to make arbitrary HTTP requests from the affected server. The exploit is publicly available, increasing the risk of exploitation. The vendor was contacted, but did not respond.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable modelscope agentscope instance running version 1.0.18 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting the \u003ccode\u003e_parse_url\u003c/code\u003e, \u003ccode\u003eprepare_image\u003c/code\u003e, or \u003ccode\u003eopenai_audio_to_text\u003c/code\u003e functions within \u003ccode\u003esrc/agentscope/tool/_multi_modality/_openai_tools.py\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes a manipulated \u003ccode\u003eimage_url\u003c/code\u003e or \u003ccode\u003eaudio_file_url\u003c/code\u003e parameter pointing to an internal or external resource controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe agentscope application processes the request and attempts to retrieve the resource specified in the manipulated URL.\u003c/li\u003e\n\u003cli\u003eDue to the SSRF vulnerability, the server makes an HTTP request to the attacker-controlled resource, potentially bypassing firewalls or other security controls.\u003c/li\u003e\n\u003cli\u003eThe attacker's server receives the request from the vulnerable agentscope instance.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use the agentscope instance as a proxy to access internal resources or perform other malicious actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability (CVE-2026-6604) could allow an attacker to access sensitive information on the internal network, perform unauthorized actions on behalf of the server, or potentially escalate privileges. Depending on the configuration and network topology, the attacker could potentially gain access to other systems and data within the organization's infrastructure. This can lead to data breaches, service disruptions, and other security incidents.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade modelscope agentscope to a patched version beyond 1.0.18 to remediate CVE-2026-6604.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003eimage_url\u003c/code\u003e and \u003ccode\u003eaudio_file_url\u003c/code\u003e parameters to prevent manipulation (reference the vulnerability description).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting the \u003ccode\u003e_parse_url\u003c/code\u003e, \u003ccode\u003eprepare_image\u003c/code\u003e, and \u003ccode\u003eopenai_audio_to_text\u003c/code\u003e functions in \u003ccode\u003esrc/agentscope/tool/_multi_modality/_openai_tools.py\u003c/code\u003e (reference the attack chain).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided to detect potential exploitation attempts in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-10T12:00:00Z","date_published":"2024-01-10T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-agentscope-ssrf/","summary":"A server-side request forgery vulnerability (CVE-2026-6604) exists in modelscope agentscope up to version 1.0.18, allowing remote attackers to manipulate the image_url or audio_file_url arguments to perform SSRF attacks via the Cloud Metadata Endpoint component.","title":"modelscope agentscope Server-Side Request Forgery Vulnerability (CVE-2026-6604)","url":"https://feed.craftedsignal.io/briefs/2024-01-agentscope-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed - Modelscope","version":"https://jsonfeed.org/version/1.1"}