Modelscope AgentScope Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Modelscope AgentScope versions through 1.0.18. The issue arises in the Cloud Metadata Endpoint within the function '_parse_url', 'prepare_image', and 'openai_audio_to_text', located in 'src/agentscope/tool/_multi_modality/_openai_tools.py'. The vulnerability allows manipulation of the 'image_url' or 'audio_file_url' arguments, leading to unauthorized outbound HTTP requests. This flaw can be exploited remotely, with a public exploit available.

Impact

Exploitation of this vulnerability allows for blind SSRF, where the server makes outbound requests to internal networks or cloud metadata endpoints, but the response is not returned to the attacker. However, the request can trigger side effects on internal services or be used for reconnaissance by probing internal network topology and performing port scanning.

Reproduction

To reproduce this vulnerability, deploy an AgentScope 'ReactAgent' with OpenAI multimodal tools registered via 'Toolkit'. Then, send a prompt injection payload that includes a URL pointing to the internal cloud metadata endpoint. The LLM will generate a tool call with the injected URL, which the server will fetch, exploiting the SSRF vulnerability.