VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 20, 2025· Updated Mar 20, 2025

Denial of Service in aimhubio/aim

CVE-2024-12777

Description

A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service through the misuse of the sshfs-client. The tracking server, which is single-threaded, can be made unresponsive by requesting it to connect to an unresponsive socket via sshfs. The lack of an additional timeout setting in the sshfs-client causes the server to hang for a significant amount of time, preventing it from responding to other requests.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Aim v3.25.0 denial of service via sshfs-client misuse causes single-threaded server to hang on unresponsive socket.

Vulnerability

Description

CVE-2024-12777 affects aimhubio/aim version 3.25.0. The tracking server is single-threaded and uses the sshfs-client to mount remote filesystems. The sshfs-client lacks a configurable timeout, causing the server to hang indefinitely when attempting to connect to an unresponsive socket [1][2]. This is a classic resource exhaustion vulnerability.

Exploitation

An attacker who can send a request to the tracking server can trigger the hang by requesting a connection to an unresponsive socket via sshfs. The single-threaded nature of the server means that while the connection attempt hangs, the server cannot process any other requests [2]. No special privileges are required beyond the ability to interact with the server's API.

Impact

Successful exploitation results in a denial of service (DoS). The tracking server becomes unresponsive, interrupting experiment tracking and rendering the service unavailable to legitimate users [4]. There is no confidentiality or integrity impact.

Mitigation

Status

Currently, no patch is available in the referenced sources [3]. Users should monitor the vendor's repository for updates and consider implementing a timeout or limiting sshfs requests as a workaround [1][4].

References
  1. GitHub - aimhubio/aim: Aim 💫 — An easy-to-use & supercharged open-source experiment tracker.
  2. NVD - CVE-2024-12777
  3. aim/aim/ext/sshfs/utils.py at d4ad66ac87606b1f377d3e685e861abb2eef6c45 · aimhubio/aim
  4. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
aimPyPI
<= 3.25.0

Affected products

3
  • Aimhubio/Aimllm-fuzzy
    Range: = 3.25.0
  • ghsa-coords
    pkg:pypi/aim
    Range: <= 3.25.0
  • aimhubio/aimhubio/aimv5
    Range: unspecified

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.