VYPR
← All advisories
High severityNVD Advisory· Published Mar 20, 2025· Updated Oct 15, 2025

Denial of Service in aimhubio/aim

CVE-2024-8061

Description

In version 3.23.0 of aimhubio/aim, certain methods that request data from external servers do not have set timeouts, causing the server to wait indefinitely for a response. This can lead to a denial of service, as the tracking server does not respond to other requests while waiting. The issue arises in the client used by the aim tracking server to communicate with external resources, specifically in the _run_read_instructions method and similar calls without timeouts.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Aim version 3.23.0 has missing timeouts in external data requests, causing indefinite hangs and denial of service.

Vulnerability

Description CVE-2024-8061 affects aimhubio/aim version 3.23.0. Certain methods that communicate with external servers, such as _run_read_instructions in the tracking server's client, do not set timeouts [2][3]. This causes the server to wait indefinitely for a response, preventing it from handling other requests.

Exploitation

An attacker can exploit this by controlling or manipulating an external resource that the aim server contacts. By making the external resource slow or unresponsive, the server becomes blocked, leading to a denial of service. The attack does not require authentication if the server is configured to reach untrusted external services [2].

Impact

Successful exploitation results in a denial of service, as the tracking server becomes unresponsive to legitimate client requests. This can disrupt machine learning experiment tracking and halt operations [2].

Mitigation

As of the publication date, no patch has been released. Users should update to a fixed version when available or implement timeouts for external requests, as seen in the source code [3]. The vulnerability is listed on Huntr [4] and tracked in the GitHub repository [1].

References
  1. GitHub - aimhubio/aim: Aim 💫 — An easy-to-use & supercharged open-source experiment tracker.
  2. NVD - CVE-2024-8061
  3. aim/aim/ext/transport/client.py at a6c6f2fee0f1abe37c1d66701b0329fb6af31a3d · aimhubio/aim
  4. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
aimPyPI
<= 3.23.0

Affected products

3
  • Aimhubio/Aimllm-fuzzy
    Range: =3.23.0
  • ghsa-coords
    pkg:pypi/aim
    Range: <= 3.23.0
  • aimhubio/aimhubio/aimv5
    Range: unspecified

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.