VYPR
← All advisories
High severityNVD Advisory· Published Mar 20, 2025· Updated Oct 15, 2025

Denial of Service in aimhubio/aim

CVE-2024-12778

Description

A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service (DoS) attack. The issue arises when a large number of tracked metrics are retrieved simultaneously from the Aim web API, causing the web server to become unresponsive. The root cause is the lack of a limit on the number of metrics that can be requested per call, combined with the server's single-threaded nature, leading to excessive resource consumption and blocking of the server.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Aim v3.25.0 is vulnerable to a denial of service (DoS) attack via an unbounded metrics API call, exhausting a single-threaded web server.

Vulnerability

Overview

CVE-2024-12778 is a denial of service (DoS) vulnerability in aimhubio/aim version 3.25.0, an open-source ML experiment tracker [1]. The root cause is the absence of a limit on the number of tracked metrics that can be requested in a single API call; combined with the web server's single-threaded architecture, this leads to excessive resource consumption that blocks the server from processing further requests [2].

Exploitation and

Impact

An unauthenticated attacker can exploit this by sending a request to retrieve a large number of metrics simultaneously from the Aim web API. Because the server processes the request in a single thread, the operation monopolizes CPU and memory resources, making the web interface and API completely unresponsive until the request completes or the server is manually restarted [2]. There is no requirement for authentication, and the attack can be carried out remotely over HTTP.

Mitigation

As of the publication date (2025-03-20), no patch has been released for version 3.25.0. The vendor's GitHub repository and the Huntr bounty disclosure both describe the issue, but no official fix or workaround is documented [1][3]. Administrators should monitor the aimhubio/aim repository for updates and consider implementing a reverse proxy with request size limits or resource throttling as a temporary measure.

References
  1. GitHub - aimhubio/aim: Aim 💫 — An easy-to-use & supercharged open-source experiment tracker.
  2. NVD - CVE-2024-12778
  3. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
aimPyPI
<= 3.25.0

Affected products

3
  • Aimhubio/Aimllm-fuzzy
    Range: = 3.25.0
  • ghsa-coords
    pkg:pypi/aim
    Range: <= 3.25.0
  • aimhubio/aimhubio/aimv5
    Range: unspecified

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.