VYPR
← All advisories
High severityNVD Advisory· Published Apr 10, 2024· Updated Aug 1, 2024

CSRF Vulnerability in aimhubio/aim

CVE-2024-2196

Description

aimhubio/aim is vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user's consent. The vulnerability stems from the lack of CSRF and CORS protection in the aim dashboard. An attacker can exploit this by tricking a user into executing a malicious script that sends unauthorized requests to the aim server, leading to potential data loss and unauthorized data manipulation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Aim dashboard lacks CSRF and CORS protection, allowing attackers to trick users into unauthorized actions like deleting runs or stealing data.

Vulnerability

CVE-2024-2196 describes a Cross-Site Request Forgery (CSRF) vulnerability in aimhubio/aim, an open-source ML experiment tracker. The aim dashboard fails to implement CSRF tokens and has insufficient CORS protections, enabling an attacker to craft malicious requests that appear legitimate to the server [1][2].

Exploitation

To exploit this, an attacker must trick an authenticated user into visiting a malicious webpage or clicking a crafted link. The malicious script then sends unauthorized requests to the aim server, leveraging the user's active session. No additional authentication is required beyond the user's existing session [2][3].

Impact

An attacker can delete experiment runs, modify metadata (e.g., notes, tags), and exfiltrate sensitive data such as log records and training metrics. This could lead to significant data loss and compromise the integrity of ML experiments [2][3].

Mitigation

As of the publication date, no patch has been announced by the vendor. Users should apply workarounds such as disabling cross-origin requests or using browser extensions for CSRF protection. The aim project may need to implement server-side CSRF tokens and enforce CORS policies [1][2].

References
  1. GitHub - aimhubio/aim: Aim 💫 — An easy-to-use & supercharged open-source experiment tracker.
  2. NVD - CVE-2024-2196
  3. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
aimPyPI
<= 3.17.5

Affected products

2
  • ghsa-coords
    pkg:pypi/aim
    Range: <= 3.17.5
  • aimhubio/aimhubio/aimv5
    Range: unspecified

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.