Modelscope AgentScope Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Modelscope AgentScope versions through 1.0.18. The issue arises in the Internal Service component, specifically within the function '_get_bytes_from_web_url' in 'src/agentscope/_utils/_common.py'. This vulnerability allows remote attackers to manipulate URL requests, leading to unauthorized access and exfiltration of internal data or cloud metadata credentials. The vulnerability is present in the application's multimodal content processing pipeline, which fetches URLs from user-supplied content blocks without proper validation. As a result, the fetched response is base64-encoded and returned in the formatter output, enabling direct data exfiltration.

Impact

Exploitation of this vulnerability allows for full (non-blind) SSRF, where the complete response from internal or cloud requests is returned to the attacker, base64-encoded. This could lead to theft of cloud credentials from metadata endpoints, exfiltration of internal service data, and reconnaissance of internal networks.

Reproduction

To reproduce this vulnerability, deploy an AgentScope application that accepts multimodal messages and formats them for an LLM API, such as OpenAI, Ollama, or Gemini. Then, send an HTTP POST request with a crafted multimodal content block that includes an audio, image, or video URL source targeting a cloud metadata endpoint or internal API. The server will fetch the URL server-side, base64-encode the response, and return it in the API response, where it can be decoded to access the exfiltrated data.