CVE-2024-7760: Aim vulnerable to Cross-Site Request Forgery

March 20, 2025 (updated July 22, 2025)

aimhubio/aim version 3.22.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the tracking server. The vulnerability is due to overly permissive CORS settings, allowing cross-origin requests from all origins. This enables CSRF attacks on all endpoints of the tracking server, which can be chained with other existing vulnerabilities such as remote code execution, denial of service, and arbitrary file read/write.

References

github.com/advisories/GHSA-38r9-3j52-h92v
github.com/aimhubio/aim
huntr.com/bounties/2038df5f-4829-4040-8573-67bf9bb89229
nvd.nist.gov/vuln/detail/CVE-2024-7760

Code Behaviors & Features

Detect and mitigate CVE-2024-7760 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →