Miggo Logo
Miggo Vulnerability Database
CVE-2024-8438

CVE-2024-8438: AgentScope Path Traversal in /api/file

7.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2024-8438
GHSA ID
GHSA-f4hc-q562-cc5r
EPSS Score
0.21305%
CWE
CWE-22
Published
3/20/2025
Updated
3/20/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
agentscopepip

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability exists in the /api/file endpoint handled by the _get_file function. The function retrieves the 'path' parameter from request arguments and passes it directly to send_file() without any validation. There is no: 1) Path normalization, 2) Restriction to a safe base directory, or 3) Check for directory traversal sequences. This matches the CWE-22 description and the advisory's technical details about unsanitized path parameters enabling arbitrary file read.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* p*t* tr*v*rs*l vuln*r**ility *xists in mo**ls*op*/***nts*op* v*rsion v.*.*.*. T** *PI *n*point `/*pi/*il*` *o*s not prop*rly s*nitiz* t** `p*t*` p*r*m*t*r, *llowin* *n *tt**k*r to r*** *r*itr*ry *il*s on t** s*rv*r.

Reasoning

T** vuln*r**ility *xists in t** /*pi/*il* *n*point **n*l** *y t** _**t_*il* *un*tion. T** *un*tion r*tri*v*s t** 'p*t*' p*r*m*t*r *rom r*qu*st *r*um*nts *n* p*ss*s it *ir**tly to s*n*_*il*() wit*out *ny v*li**tion. T**r* is no: *) P*t* norm*liz*tion,