Modelscope AgentScope Blind Server-Side Request Forgery Vulnerability Allowing Local File Inclusion and Denial-of-Service

A vulnerability in Modelscope AgentScope versions through 1.0.18 allows for blind server-side request forgery (SSRF) with local file inclusion (LFI) capabilities, leading to a denial-of-service (DoS) condition. The issue arises in the `_process_audio_block` function within `src/agentscope/agent/_agent_base.py`. When the application processes audio blocks, it uses `urllib.request.urlopen()` to fetch audio from URLs without any validation. This method supports the `file://` protocol, enabling LFI. The vulnerability can be exploited remotely, and an available public exploit demonstrates the issue.

Impact

Exploitation of this vulnerability causes unbounded memory consumption, leading to a process crash. The absence of URL validation in the audio processing function allows attackers to probe the server's file system and internal HTTP services, creating potential side effects on those services.

Reproduction

To reproduce this vulnerability, deploy an AgentScope application with a ReActAgent that handles audio content blocks. An attacker can then inject a message containing a malicious audio block with a URL pointing to a local file, such as `file:///etc/passwd`. The server will read the file and attempt to process it as audio, causing an error that can be exploited to confirm the file's existence. For the denial-of-service aspect, the attacker can use a URL pointing to an infinite stream, like `file:///dev/urandom`, which will consume memory indefinitely until the process is terminated by the system.