The flaw lies in a routine that parses image and audio URLs within ModelScope Agentscope’s Cloud Metadata Endpoint. By supplying a crafted URL, an attacker can force the application to perform internal or external HTTP requests, potentially accessing sensitive resources or exfiltrating data. The issue can be leveraged remotely, and the exploit code is publicly available. The weakness is a typical SSRF vulnerability, identified by the Common Weakness Enumeration CWE‑918. The reported CVSS score of 6.9 reflects a moderate risk to confidentiality and integrity for affected systems.

Systems running ModelScope Agentscope version 1.0.18 or earlier are vulnerable. The weakness resides in the file src/agentscope/tool/_multi_modality/_openai_tools.py, particularly within the _parse_url/prepare_image/openai_audio_to_text function that handles user‑supplied image_url and audio_file_url arguments. Any deployment of the affected software that accepts external URLs is at risk.

The CVSS metric indicates moderate severity, but the absence of an EPSS score means the likelihood of exploitation in the wild cannot be quantified from the provided data. The vulnerability is not listed in CISA KEV, suggesting it has not yet been confirmed as exploited at scale. Nonetheless, the publicly available exploit code and the remote nature of the attack vector make SSRF a significant concern, especially if the application has unrestricted outbound network connectivity.