Platform
python
Component
aimhubio/aim
CVE-2024-8769 is a critical Path Traversal vulnerability discovered in aimhubio/aim, a Python-based tracking server. This flaw allows attackers to delete arbitrary files on the server hosting the tracking service, potentially leading to data loss or system compromise. The vulnerability impacts versions up to the latest release. A fix is expected in a future release.
The LockManager.releaselocks function in aimhubio/aim is vulnerable to path traversal due to improper handling of the runhash parameter. This parameter, directly influenced by user input, is concatenated into a file path without proper sanitization. Consequently, an attacker can craft malicious requests to the Repo.closerun() method, accessible through the tracking server’s instruction API, to delete any file on the server's file system. This includes critical configuration files, logs, or even system binaries, potentially leading to complete system takeover. The ability to delete arbitrary files significantly expands the attack surface and increases the potential for severe consequences.
This vulnerability was publicly disclosed on 2025-03-20. The severity is rated as CRITICAL (CVSS 9.1). No public proof-of-concept exploits are currently known, but the ease of exploitation makes it a high-priority concern. It is not currently listed on CISA KEV. Active campaigns are not confirmed, but the vulnerability's simplicity suggests potential for exploitation.
Exploit Status
EPSS
0.71% (72% percentile)
CISA SSVC
CVSS Vector
While a patched version of aimhubio/aim is the recommended solution, immediate mitigation steps can be taken. First, restrict access to the tracking server instruction API to only authorized users and systems. Implement strict input validation on the run_hash parameter to prevent the injection of relative path components. Consider using a Web Application Firewall (WAF) to filter out malicious requests containing path traversal attempts. Regular monitoring of file system activity for unexpected deletions is also crucial. After upgrading, verify the fix by attempting a path traversal attack via the tracking server API and confirming that file deletion is prevented.
Update the aimhubio/aim library to the latest available version. This should include the fix for the path traversal vulnerability. Refer to the release notes or changelog for more details about the fix.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-8769 is a critical vulnerability in aimhubio/aim that allows attackers to delete arbitrary files on the tracking server due to improper handling of user-supplied input in the LockManager.release_locks function.
If you are using aimhubio/aim versions up to the latest, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of aimhubio/aim. Until a patch is available, restrict access to the tracking server API and monitor file system activity.
While no active exploitation campaigns have been confirmed, the vulnerability's simplicity suggests a potential for exploitation. Monitor your systems closely.
Refer to the aimhubio project's official repository and communication channels for updates and advisories regarding CVE-2024-8769.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.