Arbitrary File Deletion via Relative Path Traversal in aimhubio/aim

Vulnerability

Description The vulnerability resides in the LockManager.release_locks function of aimhubio/aim, specifically at commit bb76afe [1][3]. The run_hash parameter, which is user-controllable, is concatenated into a file path without proper normalization or sanitization. This allows an attacker to perform a relative path traversal attack, leading to the deletion of arbitrary files on the system [2].

Exploitation

The flaw is exposed through the Repo._close_run() method, which is accessible via the tracking server instruction API [2]. An attacker can craft a malicious run_hash containing path traversal sequences (e.g., ../) to navigate outside the intended directory. The function then uses this crafted path to specify which file to delete, effectively enabling the attacker to remove any file accessible to the user running the tracking server [1][2].

Impact

Successful exploitation allows an attacker to delete arbitrary files on the machine hosting the Aim tracking server. This could lead to denial of service by removing critical application or system files, data loss, or potential disruption of machine learning experiment tracking operations. The severity is heightened by the fact that the vulnerable function is reachable through the tracking server's API without requiring high privileges [2].

Mitigation

The vulnerability was reported through the Huntr bug bounty platform [4]. As of the last update, users should check for patched versions of aimhubio/aim that sanitize the run_hash input or apply path normalization in the LockManager.release_locks function. If no patch is available, restricting network access to the tracking server API and validating user input for path traversal patterns are recommended interim mitigations.