Approved changes feed: RSS · Atom

cpe:2.3:a:aimhubio:aimhubio/aim:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorAimhubio (9426dfad-e771-5a21-89e2-df29d78b9f28)
ProductAimhubio/Aim (45a1a2d9-039c-50c4-9426-f421cf28d56e)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2025-0190 vulnerable 2026-06-08 07:00:29.896556 Denial of Service in aimhubio/aim
HIGH (7.5)
In version 3.25.0 of aimhubio/aim, a denial of service vulnerability exists. By tracking a large number of `Text` objects and then querying them simultaneously through the web API, the Aim web server becomes unresponsive to other requests for an extended period while processing and returning these objects. This vulnerability can be exploited repeatedly, leading to a complete denial of service.
Published: 2025-03-20T10:08:48.087Z
Updated: 2025-03-20T19:03:20.216Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-0189 vulnerable 2026-06-08 07:00:29.895039 Denial of Service in aimhubio/aim
HIGH (7.5)
In version 3.25.0 of aimhubio/aim, the tracking server is vulnerable to a denial of service attack. The server overrides the maximum size for websocket messages, allowing very large images to be tracked. This causes the server to become unresponsive to other requests while processing the large image, leading to a denial of service condition.
Published: 2025-03-20T10:10:54.858Z
Updated: 2025-10-15T12:50:04.149Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-8769 vulnerable 2026-06-08 07:00:25.684901 Arbitrary File Deletion via Relative Path Traversal in aimhubio/aim
CRITICAL (9.1)
A vulnerability in the `LockManager.release_locks` function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The `run_hash` parameter, which is user-controllable, is concatenated without normalization as part of a path used to specify file deletion. This vulnerability is exposed through the `Repo._close_run()` method, which is accessible via the tracking server instruction API. As a result, an attacker can exploit this to delete any arbitrary file on the machine running the tracking server.
Published: 2025-03-20T10:11:22.123Z
Updated: 2025-10-15T12:50:42.461Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-8238 vulnerable 2026-06-08 07:00:23.315766 Unrestricted Code Execution in aimhubio/aim
MEDIUM (5.9)
In version 3.22.0 of aimhubio/aim, the AimQL query language uses an outdated version of the safer_getattr() function from RestrictedPython. This version does not protect against the str.format_map() method, allowing an attacker to leak server-side secrets or potentially gain unrestricted code execution. The vulnerability arises because str.format_map() can read arbitrary attributes of Python objects, enabling attackers to access sensitive variables such as os.environ. If an attacker can write files to a known location on the Aim server, they can use str.format_map() to load a malicious .dll/.so file into the Python interpreter, leading to unrestricted code execution.
Published: 2025-03-20T10:11:09.622Z
Updated: 2025-10-15T12:49:56.303Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-8101 vulnerable 2026-06-08 07:00:21.534181 Stored XSS in aimhubio/aim
HIGH (7.2)
A stored cross-site scripting (XSS) vulnerability exists in the Text Explorer component of aimhubio/aim version 3.23.0. The vulnerability arises due to the use of `dangerouslySetInnerHTML` without proper sanitization, allowing arbitrary JavaScript execution when rendering tracked texts. This can be exploited by injecting malicious HTML content during the training process, which is then rendered unsanitized in the Text Explorer.
Published: 2025-03-20T10:11:29.974Z
Updated: 2025-03-20T13:01:37.992Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-8061 vulnerable 2026-06-08 07:00:21.304180 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-7760 vulnerable 2026-06-08 06:58:23.384169 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-6851 vulnerable 2026-06-08 06:58:20.599413 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-6829 vulnerable 2026-06-08 06:58:20.551471 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-6578 vulnerable 2026-06-08 06:58:19.928559 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-6483 vulnerable 2026-06-08 06:58:19.569120 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-6396 vulnerable 2026-06-08 06:58:19.333085 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-6227 vulnerable 2026-06-08 06:58:18.295662 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-2196 vulnerable 2026-06-08 06:33:30.563740 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-2195 vulnerable 2026-06-08 06:33:30.561325 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-12778 vulnerable 2026-06-08 06:25:36.072702 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-12777 vulnerable 2026-06-08 06:25:36.071247 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-10110 vulnerable 2026-06-08 06:22:03.586101 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.