Critical severityNVD Advisory· Published Mar 20, 2025· Updated Oct 15, 2025
Arbitrary File Deletion via Relative Path Traversal in aimhubio/aim
CVE-2024-8769
Description
A vulnerability in the LockManager.release_locks function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The run_hash parameter, which is user-controllable, is concatenated without normalization as part of a path used to specify file deletion. This vulnerability is exposed through the Repo._close_run() method, which is accessible via the tracking server instruction API. As a result, an attacker can exploit this to delete any arbitrary file on the machine running the tracking server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
aimPyPI | >= 3.15.0, <= 3.27.0 | — |
Affected products
2- aimhubio/aimhubio/aimv5Range: unspecified
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.