Platform
python
Component
aim
Fixed in
3.22.1
CVE-2024-6851 describes a Path Traversal vulnerability discovered in aimhubio/aim, a Python-based tracking server. This flaw allows attackers to delete arbitrary files by crafting a malicious glob-pattern within the LocalFileManager._cleanup function. Versions of aimhubio/aim prior to 3.22.0 are affected. A fix is expected in a future release.
The vulnerability lies in the LocalFileManager._cleanup function, which is responsible for deleting files based on a user-provided glob-pattern. The function fails to properly validate that the matched files reside within the intended directory. Consequently, an attacker can supply a carefully crafted glob-pattern that targets files outside of the managed directory, leading to arbitrary file deletion on the server. This could result in data loss, system instability, or even complete compromise of the system if critical configuration files or binaries are deleted. The potential impact is significant, especially in environments where aimhubio/aim is used to manage sensitive tracking data.
This vulnerability was publicly disclosed on 2025-03-20. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The EPSS score is pending evaluation. It is not listed on the CISA KEV catalog as of this writing.
Exploit Status
EPSS
0.38% (60% percentile)
CISA SSVC
CVSS Vector
While a patched version is pending, immediate mitigation steps can be taken. First, restrict access to the LocalFileManager.cleanup function to trusted users only. Implement strict input validation on the glob-pattern, ensuring it only matches files within the intended directory. Consider using a more secure file deletion mechanism that explicitly verifies file paths before deletion. As a temporary workaround, disable the file cleanup functionality entirely if it is not essential. Monitor system logs for any suspicious file deletion activity. After a patched version is released, upgrade immediately and confirm by verifying that the LocalFileManager.cleanup function now correctly validates file paths.
Actualice la biblioteca aimhubio/aim a una versión posterior a la 3.22.0 que corrija la vulnerabilidad. Esto evitará la eliminación arbitraria de archivos debido a un patrón glob malicioso. Consulte las notas de la versión para obtener más detalles sobre la corrección.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-6851 is a Path Traversal vulnerability in aimhubio/aim versions up to 3.22.0, allowing attackers to delete arbitrary files using a malicious glob-pattern.
You are affected if you are using aimhubio/aim version 3.22.0 or earlier. Upgrade to a patched version as soon as it becomes available.
Upgrade to a patched version of aimhubio/aim. Until then, restrict access to the file cleanup function and implement strict input validation on glob-patterns.
As of now, there are no confirmed reports of active exploitation, but it's crucial to apply mitigations proactively.
Refer to the aimhubio project's official website and GitHub repository for updates and security advisories regarding CVE-2024-6851.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.