Skip to content
Hermes Codex

CVE-2026-6605: AgentScope SSRF Vulnerability

Executive Summary

Section titled “Executive Summary”

Analysis of CVE-2026-6605 has identified a critical Server-Side Request Forgery (SSRF) vulnerability within the AgentScope framework (up to version 1.0.18). The flaw arises from insecure handling of URL-based multimodal content blocks, enabling unauthenticated remote attackers to perform a non-blind SSRF. Exploitation of this vulnerability allows the exfiltration of data from internal services or cloud metadata by abusing functions located in _utils/_common.py and formatter/_openai_formatter.py.

Technical Analysis

Section titled “Technical Analysis”

The issue is fundamentally a lack of validation in the AgentScope pipeline when fetching external content. The application accepts multimodal messages containing audio, image, or video blocks. When processed by formatters, these blocks are retrieved via requests.get() without filtering, enabling access to internal network infrastructure.

Vulnerable Components

Section titled “Vulnerable Components”
  • Utility: src/agentscope/_utils/_common.py in _get_bytes_from_web_url()
  • Formatter: src/agentscope/formatter/_openai_formatter.py in _to_openai_audio_data()

Exploit Scenario

Section titled “Exploit Scenario”

An attacker targets an AgentScope-based application by sending a malicious JSON payload.

{
  "type": "audio",
  "source": {
    "type": "url",
    "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/my-role.wav"
  }
}

The application attempts to fetch this content, and the resulting credential object is base64-encoded and transmitted back to the attacker.

Detection and Mitigation

Section titled “Detection and Mitigation”

Detection focuses on monitoring outbound network traffic from the AgentScope process toward internal network segments and sensitive cloud metadata endpoints.

title: AgentScope Full SSRF Attempt
status: experimental
description: Detects outbound requests from AgentScope processes to internal IP ranges.
logsource:
  category: network_connection
  product: linux
detection:
  selection:
    DestinationIp:
      - '169.254.169.254'
      - '10.0.0.0/8'
      - '192.168.0.0/16'
      - '172.16.0.0/12'
    ProcessName: 'python*'
  condition: selection

References

Section titled “References”