VYPR
← All advisories
Moderate severityNVD Advisory· Published Jul 29, 2024· Updated Aug 1, 2024

Stored XSS in aimhubio/aim

CVE-2024-6578

Description

A stored cross-site scripting (XSS) vulnerability exists in aimhubio/aim version 3.19.3. The vulnerability arises from the improper neutralization of input during web page generation, specifically in the logs-tab for runs. The terminal output logs are displayed using the dangerouslySetInnerHTML function in React, which is susceptible to XSS attacks. An attacker can exploit this vulnerability by injecting malicious scripts into the logs, which will be executed when a user views the logs-tab.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored XSS vulnerability in Aim 3.19.3 allows attackers to inject malicious scripts via the logs-tab by exploiting dangerouslySetInnerHTML in React.

Vulnerability

Description CVE-2024-6578 is a stored cross-site scripting (XSS) vulnerability in aimhubio/aim version 3.19.3. The root cause is improper neutralization of user input when generating web pages, specifically within the logs-tab for runs. The terminal output logs are rendered using React's dangerouslySetInnerHTML function, which bypasses React's default XSS protections and directly inserts raw HTML into the DOM [2]. This design flaw allows any attacker who can supply log content to introduce arbitrary script elements.

Exploitation

Prerequisites An attacker must be able to inject malicious content into the logs that are later displayed in the logs-tab. This could occur if the attacker has the ability to submit log data (e.g., through a compromised training script, or by exploiting another input vector that feeds into the logs). No additional authentication is required for the execution of the XSS payload, as the vulnerability triggers when any user views the affected logs-tab [1]. The attack does not require a specific network position—any user accessing the Aim UI can be targeted.

Impact

Successful exploitation leads to arbitrary JavaScript execution in the browser of any user who views the logs-tab containing the injected script. This can result in session hijacking, data exfiltration, or further malicious actions within the context of the afflicted Aim instance. The stored (persistent) nature of the XSS means the payload remains until the log entry is removed, affecting all subsequent viewers [2].

Mitigation

As of the publication date (2024-07-29), no patch has been announced for this vulnerability. Users of Aim 3.19.3 are advised to avoid viewing untrusted logs in the UI until a fix is released. The project maintainers were notified via the Huntr bug bounty platform [3], and the vulnerability has a reserved CVE identifier. It is recommended to migrate to a patched version when available, or apply mitigations such as input sanitization and disabling dangerouslySetInnerHTML on user-supplied content.

References
  1. GitHub - aimhubio/aim: Aim 💫 — An easy-to-use & supercharged open-source experiment tracker.
  2. NVD - CVE-2024-6578
  3. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
aimPyPI
<= 3.19.3

Affected products

2
  • ghsa-coords
    pkg:pypi/aim
    Range: <= 3.19.3
  • aimhubio/aimhubio/aimv5
    Range: unspecified

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.