CVE-2024-2195

CVE-2024-2195 affects aimhubio/aim (versions ≥ 3.0.0). The issue is in the REST endpoint “/api/runs/search/run/” where the run_search_api in aim/web/api/runs/views.py fails to properly restrict access to the RunView object, allowing arbitrary code execution via the query parameter. Impact is high...

CVE-2024-2196

The aimhubio/aim Cross-Site Request Forgery (CSRF) vulnerability is caused by missing CSRF and CORS protections in the aim dashboard. An attacker can lure a logged-in user into issuing unauthorized requests, enabling actions such as deleting runs, updating data, and exfiltrating log records or no...

CVE-2025-0190

CVE-2025-0190 affects the Aim web server in the aimhubio/aim package (version 3.25.0). The underlying issue is an excessive data query operation: tracking a large number of Text objects and then querying them simultaneously via the web API can cause the server to become unresponsive to other requ...

CVE-2024-8769

CVE-2024-8769 affects aimhubio/aim where the LockManager.release_locks function concatenates a user-controlled run_hash into a path, enabling relative path traversal that can delete arbitrary files. The flaw is exposed through Repo._close_run() via the tracking server instruction API, potentially...

CVE-2025-0189

CVE-2025-0189 affects aimhubio/aim version 3.25.0 where the tracking server allows oversized websocket messages, overriding the maximum size and causing DoS as it processes very large images. This makes the server unresponsive to other requests. According to the sources, there is no fixed version...

CVE-2021-43775

CVE-2021-43775 affects the Aim open‑source, self‑hosted machine learning experiment tracker. Public records describe a path traversal vulnerability in versions prior to 3.1.0, exploitable by manipulating references to files using dot-dot-slash sequences or absolute paths to access arbitrary files...

CVE-2024-8863

The CVE-2024-8863 issue affects aimhubio Aim up to 3.24, where the Text Explorer component’s textbox.tsx uses dangerouslySetInnerHTML. The root cause is manipulation of the query argument that enables cross-site scripting. The vulnerability is remote-exploitable and public exploits have been disc...

CVE-2024-12778

CVE-2024-12778 affects the Aim project (aimhubio/aim) v3.25.0. The root cause is an absence of a limit on the number of metrics requested per call, which, together with a single-threaded server, allows excessive resource consumption and can render the web API unresponsive (DoS). Concretely, retri...

CVE-2024-6396

An vulnerability in the _backup_run function of aimhubio/aim 3.19.3 allows remote attackers to manipulate run_hash and repo.path to create/write arbitrary files on the host and exfiltrate data, with potential for denial of service, data loss, or remote code execution. Confirmed by connected sourc...

CVE-2025-5321

The CVE-2025-5321 entry affects aimhubio Aim up to 3.29.1, targeting the RestrictedPythonQuery function in /aim/storage/query.py (run_view Object Handler). The vulnerability arises from manipulation of the argument (Query/Abfrage) that can lead to elevated privileges and sandbox issues, enabling ...

CVE-2024-6227

CVE-2024-6227 affects the open-source tool aimhubio/aim version 3.19.3. The vulnerability arises when the remote tracking server is configured to point at itself, causing the server to endlessly connect to itself. This self-loop leads to a denial of service by rendering the server unresponsive to...

CVE-2024-6483

The CVE-2024-6483 entry concerns aimhubio/aim v3.19.3 with a path traversal flaw in the runs/delete-batch endpoint. The issue allows arbitrary file/directory deletion via user-specified run-names, risking denial of service or data loss. Reports from multiple sources (Red Hat, NVD, OSV, GHSA, Snyk...

CVE-2024-6578

Stored XSS in aimhubio/aim 3.19.3 affects the logs-tab rendering, where logs are output with React dangerouslySetInnerHTML, allowing injected scripts to execute when a user views logs. Root cause: improper neutralization of input during web page generation. Impact: potential script execution in a...

CVE-2024-6829

CVE-2024-6829 affects aimhubio/aim 3.19.3. The vulnerability arises in tarfile.extractall(), allowing an attacker-controlled tarfile to be extracted to arbitrary locations on the host by manipulating repo.path and run_hash. This bypasses directory existence checks and can result in arbitrary file...

CVE-2024-8238

CVE-2024-8238 affects aimhubio/aim v3.22.0 where AimQL uses an outdated safer_getattr() from RestrictedPython, failing to block str.format_map() and allowing access to arbitrary Python attributes (e.g., os.environ) and potential unrestricted code execution if a malicious .dll/.so is loaded. Multi...

CVE-2024-10110

The CVE-2024-10110 issue affects aimhubio/aim (version 3.23.0) where the ScheduledStatusReporter can be instantiated to run on the tracking server’s main thread, blocking it and causing DoS by making the server unresponsive to other requests. Multiple connected sources corroborate the description...

CVE-2024-8101

CVE-2024-8101 affects aimhubio/aim v3.23.0, specifically the Text Explorer component. The issue is a stored XSS due to dangerouslySetInnerHTML being used without proper sanitization, enabling arbitrary JavaScript execution when rendering tracked texts (during the training process). Connected sour...

CVE-2024-8061

CVE-2024-8061 affects aimhubio/aim v3.23.0 where methods that fetch data from external resources lack request timeouts, leading to a denial of service as the server waits indefinitely (notably _run_read_instructions). Multiple feeds (Red Hat, NVD, OSV, CIRCL, GHSA, Snyk, CVE databases) corroborat...

CVE-2024-12777

The CVE-2024-12777 entry describes a Denial of Service in aimhubio/aim 3.25.0 caused by misuse of the sshfs-client. The tracking server is single-threaded and can become unresponsive when asked to connect to an unresponsive socket via sshfs. The root cause is the lack of an additional timeout in ...

CVE-2024-6851

CVE-2024-6851 affects aimhubio/aim v3.22.0. The LocalFileManager._cleanup function accepts a user-supplied glob-pattern and does not verify that matched files stay within the directory managed by LocalFileManager, allowing a crafted glob-pattern to delete arbitrary files. Reported impact is arbit...

CVE-2024-7760

CVE-2024-7760 affects aimhubio/aim (v3.22.0) where the tracking server is vulnerable to Cross‑Site Request Forgery (CSRF) due to overly permissive CORS settings that allow cross-origin requests from all origins. This vulnerability enables CSRF on all endpoints of the tracking server and can be ch...

CVE-2025-51463

CVE-2025-51463 concerns AIM 3.28.0, where a path traversal flaw in the restore_run_backup() function lets remote attackers craft a backup tar for the run_instruction API and write arbitrary files to the server filesystem because paths are not validated during extraction. Affected component: AIM s...

CVE-2025-51464

The CVE-2025-51464 entry affects aimhubio Aim version 3.28.0. A cross-site scripting (XSS) vulnerability exists in the /api/reports endpoint where Python code is submitted and interpreted by Pyodide when a report is viewed, allowing execution of arbitrary JavaScript in a victim’s browser via pyod...