VYPR
← All advisories
High severityNVD Advisory· Published Mar 20, 2025· Updated Oct 15, 2025

Denial of Service in aimhubio/aim

CVE-2025-0189

Description

In version 3.25.0 of aimhubio/aim, the tracking server is vulnerable to a denial of service attack. The server overrides the maximum size for websocket messages, allowing very large images to be tracked. This causes the server to become unresponsive to other requests while processing the large image, leading to a denial of service condition.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Aim 3.25.0 tracking server is vulnerable to denial of service via large websocket images, causing unresponsiveness.

Vulnerability

Description

In version 3.25.0 of aimhubio/aim, the tracking server overrides the maximum size for websocket messages, allowing very large images to be tracked. This design flaw enables an attacker—without any authentication requirement implied by the description—to send oversized image payloads through the websocket connection, forcing the server into a blocked state while processing the large image [2].

Exploitation

Prerequisites

No special privileges or network position beyond being able to reach the websocket endpoint are needed; the server accepts arbitrary image sizes because the size limit is deliberately overridden. An attacker simply sends a crafted message containing an extremely large image, which the server begins to process synchronously or in a way that monopolizes resources [2].

Impact

While the server processes the oversized image, it stops responding to other legitimate requests, resulting in a denial of service condition. The vulnerability does not require any special authentication or prior access, making it trivially exploitable by anyone who can connect to the Aim tracking server [1][2].

Mitigation

Status

As of the publication date (2025-03-20), the vulnerability is present in version 3.25.0. Users should check for updated releases or patches from the maintainers; the official repository is available at GitHub [1]. No workaround is described in the provided references.

References
  1. GitHub - aimhubio/aim: Aim 💫 — An easy-to-use & supercharged open-source experiment tracker.
  2. NVD - CVE-2025-0189

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
aimPyPI
<= 3.25.0

Affected products

3
  • Aimhubio/Aimllm-fuzzy
    Range: = 3.25.0
  • ghsa-coords
    pkg:pypi/aim
    Range: <= 3.25.0
  • aimhubio/aimhubio/aimv5
    Range: unspecified

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.