CVE-2024-8061: Aim allows denial of service due to no timeouts for some tracking server endpoints

March 20, 2025 (updated March 21, 2025)

In version 3.23.0 of aimhubio/aim, certain methods that request data from external servers do not have set timeouts, causing the server to wait indefinitely for a response. This can lead to a denial of service, as the tracking server does not respond to other requests while waiting. The issue arises in the client used by the aim tracking server to communicate with external resources, specifically in the _run_read_instructions method and similar calls without timeouts.

References

github.com/advisories/GHSA-6w7p-xrvp-p7xv
github.com/aimhubio/aim
github.com/aimhubio/aim/blob/a6c6f2fee0f1abe37c1d66701b0329fb6af31a3d/aim/ext/transport/client.py
huntr.com/bounties/c85d005c-b354-4c51-a88f-adda2f09622b
nvd.nist.gov/vuln/detail/CVE-2024-8061

Code Behaviors & Features

Detect and mitigate CVE-2024-8061 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →