Search for packages
| purl | pkg:pypi/aim@3.21.0 |
| Next non-vulnerable version | 4.0.0.dev6 |
| Latest non-vulnerable version | 4.0.0.dev6 |
| Risk |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3jnj-9x14-4qce
Aliases: CVE-2025-0189 GHSA-j5qj-rg5j-j7c2 |
Aim Uncontrolled Resource Consumption vulnerability In version 3.25.0 of aimhubio/aim, the tracking server is vulnerable to a denial of service attack. The server overrides the maximum size for websocket messages, allowing very large images to be tracked. This causes the server to become unresponsive to other requests while processing the large image, leading to a denial of service condition. |
Affected by 3 other vulnerabilities. |
|
VCID-5c2z-bweu-47hy
Aliases: CVE-2024-7760 GHSA-38r9-3j52-h92v |
Aim vulnerable to Cross-Site Request Forgery aimhubio/aim version 3.22.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the tracking server. The vulnerability is due to overly permissive CORS settings, allowing cross-origin requests from all origins. This enables CSRF attacks on all endpoints of the tracking server, which can be chained with other existing vulnerabilities such as remote code execution, denial of service, and arbitrary file read/write. |
Affected by 10 other vulnerabilities. |
|
VCID-6p77-vztx-sbcf
Aliases: CVE-2024-8769 GHSA-4qcx-jx49-6qrh |
Aim path traversal in LockManager.release_locks A vulnerability in the `LockManager.release_locks` function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The `run_hash` parameter, which is user-controllable, is concatenated without normalization as part of a path used to specify file deletion. This vulnerability is exposed through the `Repo._close_run()` method, which is accessible via the tracking server instruction API. As a result, an attacker can exploit this to delete any arbitrary file on the machine running the tracking server. |
Affected by 0 other vulnerabilities. |
|
VCID-ahjg-p7ah-2ugh
Aliases: CVE-2024-6851 GHSA-mrvr-7493-pfq3 |
Aim Path Traversal vulnerability In version 3.22.0 of aimhubio/aim, the LocalFileManager._cleanup function in the aim tracking server accepts a user-specified glob-pattern for deleting files. The function does not verify that the matched files are within the directory managed by LocalFileManager, allowing a maliciously crafted glob-pattern to lead to arbitrary file deletion. |
Affected by 10 other vulnerabilities. |
|
VCID-b8tg-gjmy-2fac
Aliases: CVE-2025-51464 GHSA-gmvv-rj92-9w35 |
Aim vulnerable to Cross-site Scripting Cross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox restrictions prevent JavaScript execution via pyodide.code.run_js(). |
Affected by 0 other vulnerabilities. |
|
VCID-cv98-1rer-xfdz
Aliases: CVE-2024-12778 GHSA-35p3-6j45-prwm |
Aim Uncontrolled Resource Consumption vulnerability A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service (DoS) attack. The issue arises when a large number of tracked metrics are retrieved simultaneously from the Aim web API, causing the web server to become unresponsive. The root cause is the lack of a limit on the number of metrics that can be requested per call, combined with the server's single-threaded nature, leading to excessive resource consumption and blocking of the server. |
Affected by 3 other vulnerabilities. |
|
VCID-cvnh-3u25-wqhu
Aliases: CVE-2025-5321 GHSA-gp5h-f9c5-8355 |
Aim Vulnerable to Sandbox Escape Leading to Remote Code Execution A vulnerability classified as critical was found in aimhubio aim up to 3.29.1. This vulnerability affects the function RestrictedPythonQuery of the file /aim/storage/query.py of the component run_view Object Handler. The manipulation of the argument Query leads to sandbox issue. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
Affected by 1 other vulnerability. |
|
VCID-hyhp-a7z8-jfft
Aliases: CVE-2024-12777 GHSA-v5pj-jrpv-h6g2 |
Aim vulnerable to Synchronous Access of Remote Resource without Timeout A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service through the misuse of the sshfs-client. The tracking server, which is single-threaded, can be made unresponsive by requesting it to connect to an unresponsive socket via sshfs. The lack of an additional timeout setting in the sshfs-client causes the server to hang for a significant amount of time, preventing it from responding to other requests. |
Affected by 3 other vulnerabilities. |
|
VCID-k766-4pgg-6bcb
Aliases: CVE-2024-8863 GHSA-pmhg-f7wc-c97m |
Aim Stored XSS through TEXT EXPLORER A vulnerability, which was classified as problematic, was found in aimhubio aim up to 3.24. Affected is the function dangerouslySetInnerHTML of the file textbox.tsx of the component Text Explorer. The manipulation of the argument query leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
Affected by 0 other vulnerabilities. |
|
VCID-qrfx-jwtm-y3aq
Aliases: CVE-2024-10110 GHSA-fx47-jpv9-7hxr |
Aim Vulnerable to Denial of Service (DoS) In version 3.23.0 of aimhubio/aim, the ScheduledStatusReporter object can be instantiated to run on the main thread of the tracking server, leading to the main thread being blocked indefinitely. This results in a denial of service as the tracking server becomes unable to respond to other requests. |
Affected by 8 other vulnerabilities. |
|
VCID-tdcy-azet-r3ge
Aliases: CVE-2024-8238 GHSA-r229-5wgf-f28g |
Aim Improper Access Control In version 3.22.0 of aimhubio/aim, the AimQL query language uses an outdated version of the safer_getattr() function from RestrictedPython. This version does not protect against the str.format_map() method, allowing an attacker to leak server-side secrets or potentially gain unrestricted code execution. The vulnerability arises because str.format_map() can read arbitrary attributes of Python objects, enabling attackers to access sensitive variables such as os.environ. If an attacker can write files to a known location on the Aim server, they can use str.format_map() to load a malicious .dll/.so file into the Python interpreter, leading to unrestricted code execution. |
Affected by 10 other vulnerabilities. |
|
VCID-tsvd-q9dm-qka9
Aliases: CVE-2025-0190 GHSA-fm93-g6xp-35xq |
Aim Excessive Data Query Operations in a Large Data Table vulnerability In version 3.25.0 of aimhubio/aim, a denial of service vulnerability exists. By tracking a large number of `Text` objects and then querying them simultaneously through the web API, the Aim web server becomes unresponsive to other requests for an extended period while processing and returning these objects. This vulnerability can be exploited repeatedly, leading to a complete denial of service. |
Affected by 3 other vulnerabilities. |
|
VCID-ud1y-m5hg-mffh
Aliases: CVE-2024-8061 GHSA-6w7p-xrvp-p7xv |
Aim allows denial of service due to no timeouts for some tracking server endpoints In version 3.23.0 of aimhubio/aim, certain methods that request data from external servers do not have set timeouts, causing the server to wait indefinitely for a response. This can lead to a denial of service, as the tracking server does not respond to other requests while waiting. The issue arises in the client used by the `aim` tracking server to communicate with external resources, specifically in the `_run_read_instructions` method and similar calls without timeouts. |
Affected by 8 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||