CVE-2024-8769: Aim path traversal in LockManager.release_locks

March 20, 2025

A vulnerability in the LockManager.release_locks function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The run_hash parameter, which is user-controllable, is concatenated without normalization as part of a path used to specify file deletion. This vulnerability is exposed through the Repo._close_run() method, which is accessible via the tracking server instruction API. As a result, an attacker can exploit this to delete any arbitrary file on the machine running the tracking server.

References

github.com/advisories/GHSA-4qcx-jx49-6qrh
github.com/aimhubio/aim
github.com/aimhubio/aim/blob/bb76afe6e9a54364f322520cc4fea2679238f904/aim/sdk/lock_manager.py
huntr.com/bounties/59d3472f-f581-4beb-a090-afd36a00ecf7
nvd.nist.gov/vuln/detail/CVE-2024-8769

Detect and mitigate CVE-2024-8769 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →