Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-nh25-j9ac-p7gw
Vulnerability ID VCID-nh25-j9ac-p7gw
Aliases CVE-2024-8769
GHSA-4qcx-jx49-6qrh
Summary A vulnerability in the `LockManager.release_locks` function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The `run_hash` parameter, which is user-controllable, is concatenated without normalization as part of a path used to specify file deletion. This vulnerability is exposed through the `Repo._close_run()` method, which is accessible via the tracking server instruction API. As a result, an attacker can exploit this to delete any arbitrary file on the machine running the tracking server.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-29 Path Traversal: '..filename'
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.01313 https://api.first.org/data/v1/epss?cve=CVE-2024-8769
cvssv3.1 9.1 https://github.com/aimhubio/aim
generic_textual CRITICAL https://github.com/aimhubio/aim
cvssv3.1 9.1 https://github.com/aimhubio/aim/blob/bb76afe6e9a54364f322520cc4fea2679238f904/aim/sdk/lock_manager.py#L140
generic_textual CRITICAL https://github.com/aimhubio/aim/blob/bb76afe6e9a54364f322520cc4fea2679238f904/aim/sdk/lock_manager.py#L140
cvssv3 9.1 https://huntr.com/bounties/59d3472f-f581-4beb-a090-afd36a00ecf7
cvssv3.1 9.1 https://huntr.com/bounties/59d3472f-f581-4beb-a090-afd36a00ecf7
generic_textual CRITICAL https://huntr.com/bounties/59d3472f-f581-4beb-a090-afd36a00ecf7
ssvc Track* https://huntr.com/bounties/59d3472f-f581-4beb-a090-afd36a00ecf7
cvssv3.1 9.1 https://nvd.nist.gov/vuln/detail/CVE-2024-8769
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2024-8769
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2024-8769
https://github.com/aimhubio/aim/blob/bb76afe6e9a54364f322520cc4fea2679238f904/aim/sdk/lock_manager.py#L140
https://nvd.nist.gov/vuln/detail/CVE-2024-8769
59d3472f-f581-4beb-a090-afd36a00ecf7 https://huntr.com/bounties/59d3472f-f581-4beb-a090-afd36a00ecf7
GHSA-4qcx-jx49-6qrh https://github.com/advisories/GHSA-4qcx-jx49-6qrh
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H Found at https://github.com/aimhubio/aim
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H Found at https://github.com/aimhubio/aim/blob/bb76afe6e9a54364f322520cc4fea2679238f904/aim/sdk/lock_manager.py#L140
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H Found at https://huntr.com/bounties/59d3472f-f581-4beb-a090-afd36a00ecf7
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H Found at https://huntr.com/bounties/59d3472f-f581-4beb-a090-afd36a00ecf7
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-20T13:05:15Z/ Found at https://huntr.com/bounties/59d3472f-f581-4beb-a090-afd36a00ecf7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-8769
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.80237
EPSS Score 0.01313
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-10T18:28:51.023006+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2024/8xxx/CVE-2024-8769.json 38.6.0