VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 20, 2025· Updated Mar 20, 2025

Arbitrary File/Directory Deletion in aimhubio/aim

CVE-2024-6483

Description

A vulnerability in the runs/delete-batch endpoint of aimhubio/aim version 3.19.3 allows for arbitrary file or directory deletion through path traversal. The endpoint does not mitigate path traversal when handling user-specified run-names, which are used to specify log/metadata files for deletion. This can be exploited to delete arbitrary files or directories, potentially causing denial of service or data loss.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A path traversal vulnerability in Aim's runs/delete-batch endpoint allows unauthenticated arbitrary file deletion, risking denial of service or data loss.

Analysis

A vulnerability was discovered in the runs/delete-batch endpoint of aimhubio/aim version 3.19.3 [1][2]. The endpoint does not properly sanitize user-supplied run-names, which are used to specify log/metadata files for deletion. This lack of input validation enables path traversal attacks, allowing an attacker to specify directories or files outside the intended scope [2].

Exploitation

An attacker can exploit this by sending a crafted request to the runs/delete-batch endpoint with a run-name containing path traversal sequences (e.g., ../). No authentication is required, making the attack surface broad for any instance exposing this endpoint [2]. The endpoint directly uses the given path to delete files, bypassing any intended restrictions [2].

Impact

Successful exploitation allows arbitrary file or directory deletion on the server. This can lead to denial of service by removing critical application files or data loss by deleting user data or logs [2]. The impact is particularly severe for self-hosted Aim instances that are publicly accessible.

Mitigation

As of the publication date, no patch has been announced by the vendor. Users are advised to restrict network access to the Aim server and apply input validation or a web application firewall (WAF) rule to block path traversal patterns. The vendor has been notified through the Huntr bug bounty platform [3].

References
  1. GitHub - aimhubio/aim: Aim 💫 — An easy-to-use & supercharged open-source experiment tracker.
  2. NVD - CVE-2024-6483
  3. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
aimPyPI
<= 3.19.3

Affected products

3
  • Aimhubio/Aimllm-fuzzy
    Range: = 3.19.3
  • ghsa-coords
    pkg:pypi/aim
    Range: <= 3.19.3
  • aimhubio/aimhubio/aimv5
    Range: unspecified

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.