Denial of Service in aimhubio/aim
Description
In version 3.23.0 of aimhubio/aim, the ScheduledStatusReporter object can be instantiated to run on the main thread of the tracking server, leading to the main thread being blocked indefinitely. This results in a denial of service as the tracking server becomes unable to respond to other requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Aim v3.23.0's ScheduledStatusReporter can block the main thread, causing denial of service.
Vulnerability
Description In aimhubio/aim version 3.23.0, the ScheduledStatusReporter object can be instantiated to run on the main thread of the tracking server. This causes the main thread to become blocked indefinitely, preventing the server from processing further requests [1][2].
Exploitation
An attacker who can trigger instantiation of ScheduledStatusReporter (e.g., via a crafted request) can exploit this flaw without authentication, as the server runs the reporter on the main thread by design [2].
Impact
Successful exploitation results in a denial of service: the tracking server becomes unresponsive to all legitimate requests, disrupting experiment tracking and UI access [2].
Mitigation
As of the publication date, no patch has been released. Users are advised to monitor the vendor's repository for updates [1][2][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
aimPyPI | >= 3.15.0, <= 3.23.0 | — |
Affected products
3- aimhubio/aimhubio/aimv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.