CVE-2024-8769 is a critical Path Traversal vulnerability discovered in aimhubio/aim, a Python-based tracking server. This flaw allows attackers to delete arbitrary files on the server hosting the tracking service, potentially leading to data loss or system compromise. The vulnerability impacts versions up to the latest release. A fix is expected in a future release.
The LockManager.releaselocks function in aimhubio/aim is vulnerable to path traversal due to improper handling of the runhash parameter. This parameter, directly influenced by user input, is concatenated into a file path without proper sanitization. Consequently, an attacker can craft malicious requests to the Repo.closerun() method, accessible through the tracking server’s instruction API, to delete any file on the server's file system. This includes critical configuration files, logs, or even system binaries, potentially leading to complete system takeover. The ability to delete arbitrary files significantly expands the attack surface and increases the potential for severe consequences.
This vulnerability was publicly disclosed on 2025-03-20. The severity is rated as CRITICAL (CVSS 9.1). No public proof-of-concept exploits are currently known, but the ease of exploitation makes it a high-priority concern. It is not currently listed on CISA KEV. Active campaigns are not confirmed, but the vulnerability's simplicity suggests potential for exploitation.
Organizations utilizing aimhubio/aim as a tracking server, particularly those with publicly exposed APIs or inadequate input validation, are at significant risk. Shared hosting environments where multiple users share the same server instance are especially vulnerable, as an attacker could potentially compromise the entire system through a single affected aimhubio/aim instance.
• python / server:
import os
import subprocess
# Check for suspicious file deletion attempts in logs
log_file = '/path/to/aimhubio/aim/logs/tracking_server.log'
with open(log_file, 'r') as f:
for line in f:
if 'delete' in line.lower() and 'run_hash' in line.lower():
print(f'Potential path traversal attempt detected: {line}')• linux / server:
# Monitor file system activity for unexpected deletions
journalctl -f -u aimhubio_aim | grep 'delete'disclosure
漏洞利用状态
EPSS
0.71% (72% 百分位)
CISA SSVC
CVSS 向量
While a patched version of aimhubio/aim is the recommended solution, immediate mitigation steps can be taken. First, restrict access to the tracking server instruction API to only authorized users and systems. Implement strict input validation on the run_hash parameter to prevent the injection of relative path components. Consider using a Web Application Firewall (WAF) to filter out malicious requests containing path traversal attempts. Regular monitoring of file system activity for unexpected deletions is also crucial. After upgrading, verify the fix by attempting a path traversal attack via the tracking server API and confirming that file deletion is prevented.
将 aimhubio/aim 库更新到最新可用版本。这应该包括路径遍历漏洞的修复。请参阅版本说明或变更日志以获取有关修复的更多详细信息。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-8769 is a critical vulnerability in aimhubio/aim that allows attackers to delete arbitrary files on the tracking server due to improper handling of user-supplied input in the LockManager.release_locks function.
If you are using aimhubio/aim versions up to the latest, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of aimhubio/aim. Until a patch is available, restrict access to the tracking server API and monitor file system activity.
While no active exploitation campaigns have been confirmed, the vulnerability's simplicity suggests a potential for exploitation. Monitor your systems closely.
Refer to the aimhubio project's official repository and communication channels for updates and advisories regarding CVE-2024-8769.
上传你的 requirements.txt 文件,立即知道是否受影响。