aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl: 9 vulnerabilities (highest severity is: 9.1) #46
Description
Vulnerable Library - aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl
A super-easy way to record, search and compare AI experiments.
Library home page: https://files.pythonhosted.org/packages/7b/e0/b7e903c541bd58f2309bfc502b07636bfdbda9403cc3203fde3941f73738/aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl
Path to dependency file: /models/pos_egnn/fine-tuning/raman/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250918082811_EVRJPN/python_EMJYWP/20250918082812/26/aim-3.28.0-cp39-cp39-manylinux_2_28_x86_64.whl
Found in HEAD commit: de615824db77a7030c9d4126994d28cbe005791b
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (aim version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-6829 |  Critical |
9.1 | aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl | Direct | N/A | ❌ |
| CVE-2025-51464 |  High |
8.8 | aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl | Direct | N/A | ❌ |
| CVE-2025-0190 | High |
7.5 | aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl | Direct | N/A | ❌ |
| CVE-2025-0189 | High |
7.5 | aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl | Direct | N/A | ❌ |
| CVE-2024-8061 | High |
7.5 | aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl | Direct | N/A | ❌ |
| CVE-2024-6851 | High |
7.5 | aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl | Direct | N/A | ❌ |
| CVE-2025-51463 | High |
7.0 | aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl | Direct | N/A | ❌ |
| CVE-2025-5321 |  Medium |
6.3 | aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl | Direct | N/A | ❌ |
| CVE-2024-6483 | Medium |
5.3 | aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl | Direct | N/A | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-6829
Vulnerable Library - aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl
A super-easy way to record, search and compare AI experiments.
Library home page: https://files.pythonhosted.org/packages/7b/e0/b7e903c541bd58f2309bfc502b07636bfdbda9403cc3203fde3941f73738/aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl
Path to dependency file: /models/pos_egnn/fine-tuning/raman/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250918082811_EVRJPN/python_EMJYWP/20250918082812/26/aim-3.28.0-cp39-cp39-manylinux_2_28_x86_64.whl
Dependency Hierarchy:
- ❌ aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl (Vulnerable Library)
Found in HEAD commit: de615824db77a7030c9d4126994d28cbe005791b
Found in base branch: main
Vulnerability Details
A vulnerability in aimhubio/aim version 3.19.3 allows an attacker to exploit the "tarfile.extractall()" function to extract the contents of a maliciously crafted tarfile to arbitrary locations on the host server. The attacker can control "repo.path" and "run_hash" to bypass directory existence checks and extract files to unintended locations, potentially overwriting critical files. This can lead to arbitrary data being written to arbitrary locations on the remote tracking server, which could be used for further attacks such as writing a new SSH key to the target server.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-03-20
URL: CVE-2024-6829
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
CVE-2025-51464
Vulnerable Library - aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl
A super-easy way to record, search and compare AI experiments.
Library home page: https://files.pythonhosted.org/packages/7b/e0/b7e903c541bd58f2309bfc502b07636bfdbda9403cc3203fde3941f73738/aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl
Path to dependency file: /models/pos_egnn/fine-tuning/raman/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250918082811_EVRJPN/python_EMJYWP/20250918082812/26/aim-3.28.0-cp39-cp39-manylinux_2_28_x86_64.whl
Dependency Hierarchy:
- ❌ aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl (Vulnerable Library)
Found in HEAD commit: de615824db77a7030c9d4126994d28cbe005791b
Found in base branch: main
Vulnerability Details
Cross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox restrictions prevent JavaScript execution via pyodide.code.run_js().
Publish Date: 2025-07-22
URL: CVE-2025-51464
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVE-2025-0190
Vulnerable Library - aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl
A super-easy way to record, search and compare AI experiments.
Library home page: https://files.pythonhosted.org/packages/7b/e0/b7e903c541bd58f2309bfc502b07636bfdbda9403cc3203fde3941f73738/aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl
Path to dependency file: /models/pos_egnn/fine-tuning/raman/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250918082811_EVRJPN/python_EMJYWP/20250918082812/26/aim-3.28.0-cp39-cp39-manylinux_2_28_x86_64.whl
Dependency Hierarchy:
- ❌ aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl (Vulnerable Library)
Found in HEAD commit: de615824db77a7030c9d4126994d28cbe005791b
Found in base branch: main
Vulnerability Details
In version 3.25.0 of aimhubio/aim, a denial of service vulnerability exists. By tracking a large number of "Text" objects and then querying them simultaneously through the web API, the Aim web server becomes unresponsive to other requests for an extended period while processing and returning these objects. This vulnerability can be exploited repeatedly, leading to a complete denial of service.
Publish Date: 2025-03-20
URL: CVE-2025-0190
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
CVE-2025-0189
Vulnerable Library - aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl
A super-easy way to record, search and compare AI experiments.
Library home page: https://files.pythonhosted.org/packages/7b/e0/b7e903c541bd58f2309bfc502b07636bfdbda9403cc3203fde3941f73738/aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl
Path to dependency file: /models/pos_egnn/fine-tuning/raman/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250918082811_EVRJPN/python_EMJYWP/20250918082812/26/aim-3.28.0-cp39-cp39-manylinux_2_28_x86_64.whl
Dependency Hierarchy:
- ❌ aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl (Vulnerable Library)
Found in HEAD commit: de615824db77a7030c9d4126994d28cbe005791b
Found in base branch: main
Vulnerability Details
In version 3.25.0 of aimhubio/aim, the tracking server is vulnerable to a denial of service attack. The server overrides the maximum size for websocket messages, allowing very large images to be tracked. This causes the server to become unresponsive to other requests while processing the large image, leading to a denial of service condition.
Publish Date: 2025-03-20
URL: CVE-2025-0189
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
CVE-2024-8061
Vulnerable Library - aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl
A super-easy way to record, search and compare AI experiments.
Library home page: https://files.pythonhosted.org/packages/7b/e0/b7e903c541bd58f2309bfc502b07636bfdbda9403cc3203fde3941f73738/aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl
Path to dependency file: /models/pos_egnn/fine-tuning/raman/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250918082811_EVRJPN/python_EMJYWP/20250918082812/26/aim-3.28.0-cp39-cp39-manylinux_2_28_x86_64.whl
Dependency Hierarchy:
- ❌ aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl (Vulnerable Library)
Found in HEAD commit: de615824db77a7030c9d4126994d28cbe005791b
Found in base branch: main
Vulnerability Details
In version 3.23.0 of aimhubio/aim, certain methods that request data from external servers do not have set timeouts, causing the server to wait indefinitely for a response. This can lead to a denial of service, as the tracking server does not respond to other requests while waiting. The issue arises in the client used by the "aim" tracking server to communicate with external resources, specifically in the "_run_read_instructions" method and similar calls without timeouts.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-03-20
URL: CVE-2024-8061
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
CVE-2024-6851
Vulnerable Library - aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl
A super-easy way to record, search and compare AI experiments.
Library home page: https://files.pythonhosted.org/packages/7b/e0/b7e903c541bd58f2309bfc502b07636bfdbda9403cc3203fde3941f73738/aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl
Path to dependency file: /models/pos_egnn/fine-tuning/raman/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250918082811_EVRJPN/python_EMJYWP/20250918082812/26/aim-3.28.0-cp39-cp39-manylinux_2_28_x86_64.whl
Dependency Hierarchy:
- ❌ aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl (Vulnerable Library)
Found in HEAD commit: de615824db77a7030c9d4126994d28cbe005791b
Found in base branch: main
Vulnerability Details
In version 3.22.0 of aimhubio/aim, the LocalFileManager._cleanup function in the aim tracking server accepts a user-specified glob-pattern for deleting files. The function does not verify that the matched files are within the directory managed by LocalFileManager, allowing a maliciously crafted glob-pattern to lead to arbitrary file deletion.
Publish Date: 2025-03-20
URL: CVE-2024-6851
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
CVE-2025-51463
Vulnerable Library - aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl
A super-easy way to record, search and compare AI experiments.
Library home page: https://files.pythonhosted.org/packages/7b/e0/b7e903c541bd58f2309bfc502b07636bfdbda9403cc3203fde3941f73738/aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl
Path to dependency file: /models/pos_egnn/fine-tuning/raman/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250918082811_EVRJPN/python_EMJYWP/20250918082812/26/aim-3.28.0-cp39-cp39-manylinux_2_28_x86_64.whl
Dependency Hierarchy:
- ❌ aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl (Vulnerable Library)
Found in HEAD commit: de615824db77a7030c9d4126994d28cbe005791b
Found in base branch: main
Vulnerability Details
Path Traversal in restore_run_backup() in AIM 3.28.0 allows remote attackers to write arbitrary files to the server's filesystem via a crafted backup tar file submitted to the run_instruction API, which is extracted without path validation during restoration.
Publish Date: 2025-07-22
URL: CVE-2025-51463
CVSS 3 Score Details (7.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: Low
CVE-2025-5321
Vulnerable Library - aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl
A super-easy way to record, search and compare AI experiments.
Library home page: https://files.pythonhosted.org/packages/7b/e0/b7e903c541bd58f2309bfc502b07636bfdbda9403cc3203fde3941f73738/aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl
Path to dependency file: /models/pos_egnn/fine-tuning/raman/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250918082811_EVRJPN/python_EMJYWP/20250918082812/26/aim-3.28.0-cp39-cp39-manylinux_2_28_x86_64.whl
Dependency Hierarchy:
- ❌ aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl (Vulnerable Library)
Found in HEAD commit: de615824db77a7030c9d4126994d28cbe005791b
Found in base branch: main
Vulnerability Details
A vulnerability classified as critical was found in aimhubio aim up to 3.29.1. This vulnerability affects the function RestrictedPythonQuery of the file /aim/storage/query.py of the component run_view Object Handler. The manipulation of the argument Abfrage leads to erweiterte Rechte. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Publish Date: 2025-05-29
URL: CVE-2025-5321
CVSS 3 Score Details (6.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
CVE-2024-6483
Vulnerable Library - aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl
A super-easy way to record, search and compare AI experiments.
Library home page: https://files.pythonhosted.org/packages/7b/e0/b7e903c541bd58f2309bfc502b07636bfdbda9403cc3203fde3941f73738/aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl
Path to dependency file: /models/pos_egnn/fine-tuning/raman/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250918082811_EVRJPN/python_EMJYWP/20250918082812/26/aim-3.28.0-cp39-cp39-manylinux_2_28_x86_64.whl
Dependency Hierarchy:
- ❌ aim-3.28.0-cp38-cp38-macosx_11_0_arm64.whl (Vulnerable Library)
Found in HEAD commit: de615824db77a7030c9d4126994d28cbe005791b
Found in base branch: main
Vulnerability Details
A vulnerability in the "runs/delete-batch" endpoint of aimhubio/aim version 3.19.3 allows for arbitrary file or directory deletion through path traversal. The endpoint does not mitigate path traversal when handling user-specified run-names, which are used to specify log/metadata files for deletion. This can be exploited to delete arbitrary files or directories, potentially causing denial of service or data loss.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-03-20
URL: CVE-2024-6483
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low