VYPR
Critical severityNVD Advisory· Published Mar 20, 2025· Updated Oct 15, 2025

Arbitrary File Deletion via Relative Path Traversal in aimhubio/aim

CVE-2024-8769

Description

A vulnerability in the LockManager.release_locks function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The run_hash parameter, which is user-controllable, is concatenated without normalization as part of a path used to specify file deletion. This vulnerability is exposed through the Repo._close_run() method, which is accessible via the tracking server instruction API. As a result, an attacker can exploit this to delete any arbitrary file on the machine running the tracking server.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
aimPyPI
>= 3.15.0, <= 3.27.0

Affected products

2
  • ghsa-coords
    Range: >= 3.15.0, <= 3.27.0
  • aimhubio/aimhubio/aimv5
    Range: unspecified

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.