Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/69702?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/69702?format=api", "purl": "pkg:pypi/aim@3.25.0", "type": "pypi", "namespace": "", "name": "aim", "version": "3.25.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "4.0.0.dev6", "latest_non_vulnerable_version": "4.0.0.dev6", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56838?format=api", "vulnerability_id": "VCID-3jnj-9x14-4qce", "summary": "Aim Uncontrolled Resource Consumption vulnerability\nIn version 3.25.0 of aimhubio/aim, the tracking server is vulnerable to a denial of service attack. The server overrides the maximum size for websocket messages, allowing very large images to be tracked. This causes the server to become unresponsive to other requests while processing the large image, leading to a denial of service condition.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-0189", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00578", "scoring_system": "epss", "scoring_elements": "0.69257", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-0189" }, { "reference_url": "https://github.com/aimhubio/aim", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim" }, { "reference_url": "https://huntr.com/bounties/e4c9bf41-72cf-4d04-baaf-8f12b5b7926e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:50:24Z/" } ], "url": "https://huntr.com/bounties/e4c9bf41-72cf-4d04-baaf-8f12b5b7926e" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0189", "reference_id": "CVE-2025-0189", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0189" }, { "reference_url": "https://github.com/advisories/GHSA-j5qj-rg5j-j7c2", "reference_id": "GHSA-j5qj-rg5j-j7c2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-j5qj-rg5j-j7c2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/808969?format=api", "purl": "pkg:pypi/aim@3.25.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6p77-vztx-sbcf" }, { "vulnerability": "VCID-b8tg-gjmy-2fac" }, { "vulnerability": "VCID-cvnh-3u25-wqhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aim@3.25.1" } ], "aliases": [ "CVE-2025-0189", "GHSA-j5qj-rg5j-j7c2" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3jnj-9x14-4qce" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56921?format=api", "vulnerability_id": "VCID-6p77-vztx-sbcf", "summary": "Aim path traversal in LockManager.release_locks\nA vulnerability in the `LockManager.release_locks` function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The `run_hash` parameter, which is user-controllable, is concatenated without normalization as part of a path used to specify file deletion. This vulnerability is exposed through the `Repo._close_run()` method, which is accessible via the tracking server instruction API. As a result, an attacker can exploit this to delete any arbitrary file on the machine running the tracking server.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-8769", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01313", "scoring_system": "epss", "scoring_elements": "0.80185", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-8769" }, { "reference_url": "https://github.com/aimhubio/aim", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim" }, { "reference_url": "https://github.com/aimhubio/aim/blob/bb76afe6e9a54364f322520cc4fea2679238f904/aim/sdk/lock_manager.py#L140", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim/blob/bb76afe6e9a54364f322520cc4fea2679238f904/aim/sdk/lock_manager.py#L140" }, { "reference_url": "https://huntr.com/bounties/59d3472f-f581-4beb-a090-afd36a00ecf7", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-20T13:05:15Z/" } ], "url": "https://huntr.com/bounties/59d3472f-f581-4beb-a090-afd36a00ecf7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8769", "reference_id": "CVE-2024-8769", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8769" }, { "reference_url": "https://github.com/advisories/GHSA-4qcx-jx49-6qrh", "reference_id": "GHSA-4qcx-jx49-6qrh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4qcx-jx49-6qrh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/730043?format=api", "purl": "pkg:pypi/aim@4.0.0.dev6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aim@4.0.0.dev6" } ], "aliases": [ "CVE-2024-8769", "GHSA-4qcx-jx49-6qrh" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6p77-vztx-sbcf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57698?format=api", "vulnerability_id": "VCID-b8tg-gjmy-2fac", "summary": "Aim vulnerable to Cross-site Scripting\nCross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox restrictions prevent JavaScript execution via pyodide.code.run_js().", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-51464", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01878", "scoring_system": "epss", "scoring_elements": "0.83506", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-51464" }, { "reference_url": "https://github.com/aimhubio/aim", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-07-22T18:15:49Z/" } ], "url": "https://github.com/aimhubio/aim" }, { "reference_url": "https://github.com/aimhubio/aim/pull/3333", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-07-22T18:15:49Z/" } ], "url": "https://github.com/aimhubio/aim/pull/3333" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51464", "reference_id": "CVE-2025-51464", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51464" }, { "reference_url": "https://www.gecko.security/blog/cve-2025-51464", "reference_id": "CVE-2025-51464", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-07-22T18:15:49Z/" } ], "url": "https://www.gecko.security/blog/cve-2025-51464" }, { "reference_url": "https://github.com/advisories/GHSA-gmvv-rj92-9w35", "reference_id": "GHSA-gmvv-rj92-9w35", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-gmvv-rj92-9w35" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/730043?format=api", "purl": "pkg:pypi/aim@4.0.0.dev6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aim@4.0.0.dev6" } ], "aliases": [ "CVE-2025-51464", "GHSA-gmvv-rj92-9w35" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b8tg-gjmy-2fac" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56900?format=api", "vulnerability_id": "VCID-cv98-1rer-xfdz", "summary": "Aim Uncontrolled Resource Consumption vulnerability\nA vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service (DoS) attack. The issue arises when a large number of tracked metrics are retrieved simultaneously from the Aim web API, causing the web server to become unresponsive. The root cause is the lack of a limit on the number of metrics that can be requested per call, combined with the server's single-threaded nature, leading to excessive resource consumption and blocking of the server.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12778", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00426", "scoring_system": "epss", "scoring_elements": "0.6262", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12778" }, { "reference_url": "https://github.com/aimhubio/aim", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim" }, { "reference_url": "https://huntr.com/bounties/892a9eee-0251-4e57-94a4-dad2e7f32715", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:52:12Z/" } ], "url": "https://huntr.com/bounties/892a9eee-0251-4e57-94a4-dad2e7f32715" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12778", "reference_id": "CVE-2024-12778", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12778" }, { "reference_url": "https://github.com/advisories/GHSA-35p3-6j45-prwm", "reference_id": "GHSA-35p3-6j45-prwm", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-35p3-6j45-prwm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/808969?format=api", "purl": "pkg:pypi/aim@3.25.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6p77-vztx-sbcf" }, { "vulnerability": "VCID-b8tg-gjmy-2fac" }, { "vulnerability": "VCID-cvnh-3u25-wqhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aim@3.25.1" } ], "aliases": [ "CVE-2024-12778", "GHSA-35p3-6j45-prwm" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cv98-1rer-xfdz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57371?format=api", "vulnerability_id": "VCID-cvnh-3u25-wqhu", "summary": "Aim Vulnerable to Sandbox Escape Leading to Remote Code Execution\nA vulnerability classified as critical was found in aimhubio aim up to 3.29.1. This vulnerability affects the function RestrictedPythonQuery of the file /aim/storage/query.py of the component run_view Object Handler. The manipulation of the argument Query leads to sandbox issue. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-5321", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00376", "scoring_system": "epss", "scoring_elements": "0.59511", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-5321" }, { "reference_url": "https://gist.github.com/superboy-zjc/1fc4747a0ac77a1edc8c32e1d4edc54c", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:L/Au:S/C:P/I:P/A:P" }, { "value": "6.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-29T15:16:32Z/" } ], "url": "https://gist.github.com/superboy-zjc/1fc4747a0ac77a1edc8c32e1d4edc54c" }, { "reference_url": "https://github.com/aimhubio/aim", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim" }, { "reference_url": "https://vuldb.com/?ctiid.310492", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:L/Au:S/C:P/I:P/A:P" }, { "value": "6.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-29T15:16:32Z/" } ], "url": "https://vuldb.com/?ctiid.310492" }, { "reference_url": "https://vuldb.com/?id.310492", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:L/Au:S/C:P/I:P/A:P" }, { "value": "6.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-29T15:16:32Z/" } ], "url": "https://vuldb.com/?id.310492" }, { "reference_url": "https://vuldb.com/?submit.580253", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:L/Au:S/C:P/I:P/A:P" }, { "value": "6.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-29T15:16:32Z/" } ], "url": "https://vuldb.com/?submit.580253" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5321", "reference_id": "CVE-2025-5321", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5321" }, { "reference_url": "https://github.com/advisories/GHSA-gp5h-f9c5-8355", "reference_id": "GHSA-gp5h-f9c5-8355", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-gp5h-f9c5-8355" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/821706?format=api", "purl": "pkg:pypi/aim@3.30.0.dev20250508", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-b8tg-gjmy-2fac" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aim@3.30.0.dev20250508" } ], "aliases": [ "CVE-2025-5321", "GHSA-gp5h-f9c5-8355" ], "risk_score": 2.9, "exploitability": "0.5", "weighted_severity": "5.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cvnh-3u25-wqhu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56905?format=api", "vulnerability_id": "VCID-hyhp-a7z8-jfft", "summary": "Aim vulnerable to Synchronous Access of Remote Resource without Timeout\nA vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service through the misuse of the sshfs-client. The tracking server, which is single-threaded, can be made unresponsive by requesting it to connect to an unresponsive socket via sshfs. The lack of an additional timeout setting in the sshfs-client causes the server to hang for a significant amount of time, preventing it from responding to other requests.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12777", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00214", "scoring_system": "epss", "scoring_elements": "0.44023", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12777" }, { "reference_url": "https://github.com/aimhubio/aim", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim" }, { "reference_url": "https://github.com/aimhubio/aim/blob/d4ad66ac87606b1f377d3e685e861abb2eef6c45/aim/ext/sshfs/utils.py#L151-L154", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim/blob/d4ad66ac87606b1f377d3e685e861abb2eef6c45/aim/ext/sshfs/utils.py#L151-L154" }, { "reference_url": "https://huntr.com/bounties/cdf8db79-c290-4fe5-9383-4c518bfba4a8", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-20T13:30:15Z/" } ], "url": "https://huntr.com/bounties/cdf8db79-c290-4fe5-9383-4c518bfba4a8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12777", "reference_id": "CVE-2024-12777", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12777" }, { "reference_url": "https://github.com/advisories/GHSA-v5pj-jrpv-h6g2", "reference_id": "GHSA-v5pj-jrpv-h6g2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-v5pj-jrpv-h6g2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/808969?format=api", "purl": "pkg:pypi/aim@3.25.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6p77-vztx-sbcf" }, { "vulnerability": "VCID-b8tg-gjmy-2fac" }, { "vulnerability": "VCID-cvnh-3u25-wqhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aim@3.25.1" } ], "aliases": [ "CVE-2024-12777", "GHSA-v5pj-jrpv-h6g2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hyhp-a7z8-jfft" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47438?format=api", "vulnerability_id": "VCID-sgsk-jtpy-v7fn", "summary": "Aim Web API vulnerable to Remote Code Execution\nA critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the `/api/runs/search/run/` endpoint, affecting versions >= 3.0.0. The vulnerability resides in the `run_search_api` function of the `aim/web/api/runs/views.py` file, where improper restriction of user access to the `RunView` object allows for the execution of arbitrary code via the `query` parameter. This issue enables attackers to execute arbitrary commands on the server, potentially leading to full system compromise.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2195", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.08378", "scoring_system": "epss", "scoring_elements": "0.92467", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2195" }, { "reference_url": "https://github.com/aimhubio/aim", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim" }, { "reference_url": "https://huntr.com/bounties/22f2355e-b875-4c01-b454-327e5951c018", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-04-10T19:27:31Z/" } ], "url": "https://huntr.com/bounties/22f2355e-b875-4c01-b454-327e5951c018" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2195", "reference_id": "CVE-2024-2195", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2195" }, { "reference_url": "https://github.com/advisories/GHSA-mxvw-cj37-8g2h", "reference_id": "GHSA-mxvw-cj37-8g2h", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mxvw-cj37-8g2h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/730043?format=api", "purl": "pkg:pypi/aim@4.0.0.dev6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aim@4.0.0.dev6" } ], "aliases": [ "CVE-2024-2195", "GHSA-mxvw-cj37-8g2h" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sgsk-jtpy-v7fn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56870?format=api", "vulnerability_id": "VCID-tsvd-q9dm-qka9", "summary": "Aim Excessive Data Query Operations in a Large Data Table vulnerability\nIn version 3.25.0 of aimhubio/aim, a denial of service vulnerability exists. By tracking a large number of `Text` objects and then querying them simultaneously through the web API, the Aim web server becomes unresponsive to other requests for an extended period while processing and returning these objects. This vulnerability can be exploited repeatedly, leading to a complete denial of service.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-0190", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00442", "scoring_system": "epss", "scoring_elements": "0.63659", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-0190" }, { "reference_url": "https://github.com/aimhubio/aim", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim" }, { "reference_url": "https://huntr.com/bounties/38d151f1-abb4-443a-86b0-6c26f0c6cb70", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:55:00Z/" } ], "url": "https://huntr.com/bounties/38d151f1-abb4-443a-86b0-6c26f0c6cb70" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0190", "reference_id": "CVE-2025-0190", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0190" }, { "reference_url": "https://github.com/advisories/GHSA-fm93-g6xp-35xq", "reference_id": "GHSA-fm93-g6xp-35xq", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-fm93-g6xp-35xq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/808969?format=api", "purl": "pkg:pypi/aim@3.25.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6p77-vztx-sbcf" }, { "vulnerability": "VCID-b8tg-gjmy-2fac" }, { "vulnerability": "VCID-cvnh-3u25-wqhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aim@3.25.1" } ], "aliases": [ "CVE-2025-0190", "GHSA-fm93-g6xp-35xq" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tsvd-q9dm-qka9" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aim@3.25.0" }