dsipts (>=1.1.5 <=1.1.19), kedro-aim (>=0.1.1 <=0.1.3) +7 more potentially affected by CVE-2025-51464 via aim (>=3.17.4 <=3.29.1)

aim PYPI version =3.17.4, =1.1.5, =0.1.1, =0.0.1, =0.0.1, =0.0.20, =0.1.0, =0.5.6 Source cves: CVE-2025-51464 Source advisory: OSV:GHSA-GMVV-RJ92-9W35...

GHSA-GMVV-RJ92-9W35 Aim vulnerable to Cross-site Scripting

Cross-site Scripting XSS in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox...

ado-sfttrainer (>=1.0.1 <=1.8.0), aim-mlflow (>=0.1.0 <=0.2.1) +27 more potentially affected by CVE-2025-51464 via aim (>=3.17.4 <=4.0.3)

aim PYPI version =3.17.4, =1.0.1, =0.1.0, =0.1.0, =0.0.1, =4.46.1, =0.0.1, =0.0.3, =0.0.1, =1.1.5, =0.1.1, =0.22.0, =0.0.1, =0.0.1, =2.0.1, =2.0.7 and more Source cves: CVE-2025-51464 Source advisory: SNYK:PYTHON-AIM-10878170...

Arbitrary Code Injection

Overview aim is a super-easy way to record, search and compare AI experiments. Affected versions of this package are vulnerable to Arbitrary Code Injection through the RestrictedPythonQuery class. An attacker can manipulate the argument Query to bypass sandbox restrictions by leveraging the...

dsipts (>=1.1.5 <=1.1.19), kedro-aim (>=0.1.1 <=0.1.3) +7 more potentially affected by CVE-2025-5321 via aim (>=3.17.4 <=3.29.1)

aim PYPI version =3.17.4, =1.1.5, =0.1.1, =0.0.1, =0.0.1, =0.0.20, =0.1.0, =0.5.6 Source cves: CVE-2025-5321 Source advisory: OSV:GHSA-GP5H-F9C5-8355...

CVE-2024-6483

A vulnerability in the runs/delete-batch endpoint of aimhubio/aim version 3.19.3 allows for arbitrary file or directory deletion through path traversal. The endpoint does not mitigate path traversal when handling user-specified run-names, which are used to specify log/metadata files for deletion...

ado-sfttrainer (>=1.0.1 <=1.8.0), aim-mlflow (>=0.1.0 <=0.2.1) +27 more potentially affected by CVE-2025-0189 via aim (>=3.17.4 <=4.0.3)

aim PYPI version =3.17.4, =1.0.1, =0.1.0, =0.1.0, =0.0.1, =4.46.1, =0.0.1, =0.0.3, =0.0.1, =1.1.5, =0.1.1, =0.22.0, =0.0.1, =0.0.1, =2.0.1, =2.0.7 and more Source cves: CVE-2025-0189 Source advisory: SNYK:PYTHON-AIM-9510938...

dsipts (>=1.1.5 <=1.1.19), llm-toys (=0.1.1) +2 more potentially affected by CVE-2025-0189 via aim (>=3.17.4 <=3.20.1)

aim PYPI version =3.17.4, =1.1.5, =0.0.20, =0.1.0, =0.5.6 Source cves: CVE-2025-0189 Source advisory: OSV:GHSA-J5QJ-RG5J-J7C2...

ado-sfttrainer (>=1.0.1 <=1.8.0), aim-mlflow (>=0.1.0 <=0.2.1) +27 more potentially affected by CVE-2024-8769 via aim (>=3.17.4 <=4.0.3)

aim PYPI version =3.17.4, =1.0.1, =0.1.0, =0.1.0, =0.0.1, =4.46.1, =0.0.1, =0.0.3, =0.0.1, =1.1.5, =0.1.1, =0.22.0, =0.0.1, =0.0.1, =2.0.1, =2.0.7 and more Source cves: CVE-2024-8769 Source advisory: SNYK:PYTHON-AIM-9510955...

dsipts (>=1.1.5 <=1.1.19), llm-toys (=0.1.1) +2 more potentially affected by CVE-2024-8238 via aim (>=3.17.4 <=3.20.1)

aim PYPI version =3.17.4, =1.1.5, =0.0.20, =0.1.0, =0.5.6 Source cves: CVE-2024-8238 Source advisory: OSV:GHSA-R229-5WGF-F28G...

ado-sfttrainer (>=1.0.1 <=1.8.0), aim-mlflow (>=0.1.0 <=0.2.1) +27 more potentially affected by CVE-2024-8238 via aim (>=3.17.4 <=4.0.3)

aim PYPI version =3.17.4, =1.0.1, =0.1.0, =0.1.0, =0.0.1, =4.46.1, =0.0.1, =0.0.3, =0.0.1, =1.1.5, =0.1.1, =0.22.0, =0.0.1, =0.0.1, =2.0.1, =2.0.7 and more Source cves: CVE-2024-8238 Source advisory: SNYK:PYTHON-AIM-9511126...

dsipts (>=1.1.5 <=1.1.19), llm-toys (=0.1.1) +2 more potentially affected by CVE-2024-7760 via aim (>=3.17.4 <=3.20.1)

aim PYPI version =3.17.4, =1.1.5, =0.0.20, =0.1.0, =0.5.6 Source cves: CVE-2024-7760 Source advisory: OSV:GHSA-38R9-3J52-H92V...

ado-sfttrainer (>=1.0.1 <=1.8.0), aim-mlflow (>=0.1.0 <=0.2.1) +27 more potentially affected by CVE-2024-6851 via aim (>=3.17.4 <=4.0.3)

aim PYPI version =3.17.4, =1.0.1, =0.1.0, =0.1.0, =0.0.1, =4.46.1, =0.0.1, =0.0.3, =0.0.1, =1.1.5, =0.1.1, =0.22.0, =0.0.1, =0.0.1, =2.0.1, =2.0.7 and more Source cves: CVE-2024-6851 Source advisory: SNYK:PYTHON-AIM-9511132...

GHSA-P6X3-V6G3-7557 Aim Relative Path Traversal vulnerability

A vulnerability in the runs/delete-batch endpoint of aimhubio/aim version 3.19.3 allows for arbitrary file or directory deletion through path traversal. The endpoint does not mitigate path traversal when handling user-specified run-names, which are used to specify log/metadata files for deletion...

Relative Path Traversal

Overview aim is a super-easy way to record, search and compare AI experiments. Affected versions of this package are vulnerable to Relative Path Traversal through the runs/delete-batch endpoint. An attacker can delete arbitrary files or directories, potentially causing denial of service or data...

GHSA-FX47-JPV9-7HXR Aim Vulnerable to Denial of Service (DoS)

In version 3.23.0 of aimhubio/aim, the ScheduledStatusReporter object can be instantiated to run on the main thread of the tracking server, leading to the main thread being blocked indefinitely. This results in a denial of service as the tracking server becomes unable to respond to other requests...

ado-sfttrainer (>=1.0.1 <=1.8.0), aim-mlflow (>=0.1.0 <=0.2.1) +27 more potentially affected by CVE-2024-10110 via aim (>=3.17.4 <=4.0.3)

aim PYPI version =3.17.4, =1.0.1, =0.1.0, =0.1.0, =0.0.1, =4.46.1, =0.0.1, =0.0.3, =0.0.1, =1.1.5, =0.1.1, =0.22.0, =0.0.1, =0.0.1, =2.0.1, =2.0.7 and more Source cves: CVE-2024-10110 Source advisory: SNYK:PYTHON-AIM-9511139...

CVE-2024-12777 Denial of Service in aimhubio/aim

A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service through the misuse of the sshfs-client. The tracking server, which is single-threaded, can be made unresponsive by requesting it to connect to an unresponsive socket via sshfs. The lack of an additional timeout setting ...

Aim 安全漏洞

Aim is an easy-to-use and high-performance open source experiment tracker from Aim Open Source USA. A security vulnerability exists in Aim version 3.25.0 that originates when tracking a large number of Text objects and querying them simultaneously via the Web API, which can lead to server...

CVE-2024-6227

A vulnerability in aimhubio/aim version 3.19.3 allows an attacker to cause an infinite loop by configuring the remote tracking server to point at itself. This results in the server endlessly connecting to itself, rendering it unable to respond to other connections...