aim
PyPI20 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting aimpage 1 of 1
- CVE-2021-43775HIGHCVSS 8.6EG 8.6✓ Fixed in 3.1.02021-11-23
vulnerable: 2.0.19 ... 3.1.0rc1 (87 versions)
Aim is an open-source, self-hosted machine learning experiment tracking tool. Versions of Aim prior to 3.1.0 are vulnerable to a path traversal attack. By manipulating variables that reference files with “dot-dot-slash (../)” sequences…
- CVE-2024-10110HIGHCVSS 7.5EG 7.52025-03-20
vulnerable: 3.15.0 ... 3.23.0 (30 versions)
In version 3.23.0 of aimhubio/aim, the ScheduledStatusReporter object can be instantiated to run on the main thread of the tracking server, leading to the main thread being blocked indefinitely. This results in a denial of service as the t…
- CVE-2024-12777MEDIUMCVSS 5.9EG 5.92025-03-20
vulnerable: 2.0.19 ... 3.9.4 (126 versions)
A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service through the misuse of the sshfs-client. The tracking server, which is single-threaded, can be made unresponsive by requesting it to connect to an unresponsive so…
- CVE-2024-12778HIGHCVSS 7.5EG 7.52025-03-20
vulnerable: 2.0.19 ... 3.9.4 (126 versions)
A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service (DoS) attack. The issue arises when a large number of tracked metrics are retrieved simultaneously from the Aim web API, causing the web server to become unrespo…
- CVE-2024-2195CRITICALCVSS 9.8EG 9.82024-04-10
vulnerable: 3.0.0 ... 3.9.4 (123 versions)
A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the `/api/runs/search/run/` endpoint, affecting versions >= 3.0.0. The vulnerability resides in the `run_search_api` funct…
- CVE-2024-2196HIGHCVSS 8.8EG 8.82024-04-10
vulnerable: 2.0.19 ... 3.9.4 (110 versions)
aimhubio/aim is vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user's consent. The vulnerability stems f…
- CVE-2024-6227HIGHCVSS 7.5EG 7.52024-07-08
vulnerable: 2.0.19 ... 3.9.4 (120 versions)
A vulnerability in aimhubio/aim version 3.19.3 allows an attacker to cause an infinite loop by configuring the remote tracking server to point at itself. This results in the server endlessly connecting to itself, rendering it unable to res…
- CVE-2024-6483MEDIUMCVSS 5.3EG 5.32025-03-20
vulnerable: 2.0.19 ... 3.9.4 (120 versions)
A vulnerability in the `runs/delete-batch` endpoint of aimhubio/aim version 3.19.3 allows for arbitrary file or directory deletion through path traversal. The endpoint does not mitigate path traversal when handling user-specified run-names…
- CVE-2024-6578MEDIUMCVSS 5.4EG 6.12024-07-29
vulnerable: 2.0.19 ... 3.9.4 (120 versions)
A stored cross-site scripting (XSS) vulnerability exists in aimhubio/aim version 3.19.3. The vulnerability arises from the improper neutralization of input during web page generation, specifically in the logs-tab for runs. The terminal out…
- CVE-2024-6829CRITICALCVSS 9.1EG 9.12025-03-20
vulnerable: 2.0.19 ... 3.9.4 (120 versions)
A vulnerability in aimhubio/aim version 3.19.3 allows an attacker to exploit the `tarfile.extractall()` function to extract the contents of a maliciously crafted tarfile to arbitrary locations on the host server. The attacker can control `…
- CVE-2024-6851HIGHCVSS 7.5EG 7.52025-03-20
vulnerable: 2.0.19 ... 3.9.4 (123 versions)
In version 3.22.0 of aimhubio/aim, the LocalFileManager._cleanup function in the aim tracking server accepts a user-specified glob-pattern for deleting files. The function does not verify that the matched files are within the directory man…
- CVE-2024-7760CRITICALCVSS 9.6EG 7.42025-03-20
vulnerable: 2.0.19 ... 3.9.4 (123 versions)
aimhubio/aim version 3.22.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the tracking server. The vulnerability is due to overly permissive CORS settings, allowing cross-origin requests from all origins. This enables CSRF …
- CVE-2024-8061HIGHCVSS 7.5EG 7.52025-03-20
vulnerable: 2.0.19 ... 3.9.4 (124 versions)
In version 3.23.0 of aimhubio/aim, certain methods that request data from external servers do not have set timeouts, causing the server to wait indefinitely for a response. This can lead to a denial of service, as the tracking server does …
- CVE-2024-8238HIGHCVSS 8.1EG 5.92025-03-20
vulnerable: 3.0.0 ... 3.9.4 (96 versions)
In version 3.22.0 of aimhubio/aim, the AimQL query language uses an outdated version of the safer_getattr() function from RestrictedPython. This version does not protect against the str.format_map() method, allowing an attacker to leak ser…
- CVE-2024-8769CRITICALCVSS 9.1EG 9.12025-03-20
vulnerable: 3.15.0 ... 3.27.0.dev20241217 (51 versions)
A vulnerability in the `LockManager.release_locks` function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The `run_hash` parameter, which is user-controllable, is concatenated without …
- CVE-2024-8863LOWCVSS 3.5EG 3.52024-09-14
vulnerable: 2.0.19 ... 3.9.4 (173 versions)
A vulnerability, which was classified as problematic, was found in aimhubio aim up to 3.24. Affected is the function dangerouslySetInnerHTML of the file textbox.tsx of the component Text Explorer. The manipulation of the argument query lea…
- CVE-2025-0189HIGHCVSS 7.5EG 7.52025-03-20
vulnerable: 2.0.19 ... 3.9.4 (126 versions)
In version 3.25.0 of aimhubio/aim, the tracking server is vulnerable to a denial of service attack. The server overrides the maximum size for websocket messages, allowing very large images to be tracked. This causes the server to become un…
- CVE-2025-0190HIGHCVSS 7.5EG 7.52025-03-20
vulnerable: 2.0.19 ... 3.9.4 (126 versions)
In version 3.25.0 of aimhubio/aim, a denial of service vulnerability exists. By tracking a large number of `Text` objects and then querying them simultaneously through the web API, the Aim web server becomes unresponsive to other requests …
- CVE-2025-51464HIGHCVSS 8.8EG 8.82025-07-22
vulnerable: 2.0.19 ... 3.9.4 (197 versions)
Cross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide wh…
- CVE-2025-5321CRITICALCVSS 9.9EG 6.32025-05-29
vulnerable: 2.0.19 ... 3.9.4 (162 versions)
A vulnerability classified as critical was found in aimhubio aim up to 3.29.1. This vulnerability affects the function RestrictedPythonQuery of the file /aim/storage/query.py of the component run_view Object Handler. The manipulation of th…
Check whether aim is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for aim CVEs against the assets you own.
Start Free Scan →