VYPR
← All advisories
High severityNVD Advisory· Published Mar 20, 2025· Updated Mar 20, 2025

Denial of Service in aimhubio/aim

CVE-2025-0190

Description

In version 3.25.0 of aimhubio/aim, a denial of service vulnerability exists. By tracking a large number of Text objects and then querying them simultaneously through the web API, the Aim web server becomes unresponsive to other requests for an extended period while processing and returning these objects. This vulnerability can be exploited repeatedly, leading to a complete denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A denial of service vulnerability in Aim 3.25.0 allows attackers to exhaust server resources by querying many Text objects simultaneously.

In version 3.25.0 of aimhubio/aim, a denial of service vulnerability exists due to inefficient handling of large numbers of Text objects. When these objects are tracked and subsequently queried through the web API, the server processes them synchronously, causing prolonged unresponsiveness to other requests [2].

An attacker can exploit this by tracking a large number of Text objects and then sending simultaneous queries via the web API. No authentication or special privileges are required beyond normal API access, making the attack accessible to any user of the Aim instance [3]. Each query triggers extensive processing, and repeated exploitation can lock the server indefinitely.

The impact is a complete denial of service, as the web server becomes unable to respond to legitimate requests for an extended period. This can disrupt experiment tracking and data analysis workflows for other users [2].

As of the disclosure, no official patch has been announced. Users are advised to upgrade to a patched version if available, or implement rate limiting and restrict API query sizes to mitigate the risk [3].

References
  1. NVD - CVE-2025-0190
  2. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
aimPyPI
<= 3.25.0

Affected products

3
  • Aimhubio/Aimllm-fuzzy
    Range: =3.25.0
  • ghsa-coords
    pkg:pypi/aim
    Range: <= 3.25.0
  • aimhubio/aimhubio/aimv5
    Range: unspecified

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.