CVE-2025-0189: Aim Uncontrolled Resource Consumption vulnerability

March 20, 2025 (updated March 22, 2025)

In version 3.25.0 of aimhubio/aim, the tracking server is vulnerable to a denial of service attack. The server overrides the maximum size for websocket messages, allowing very large images to be tracked. This causes the server to become unresponsive to other requests while processing the large image, leading to a denial of service condition.

References

github.com/advisories/GHSA-j5qj-rg5j-j7c2
github.com/aimhubio/aim
huntr.com/bounties/e4c9bf41-72cf-4d04-baaf-8f12b5b7926e
nvd.nist.gov/vuln/detail/CVE-2025-0189

Code Behaviors & Features

Detect and mitigate CVE-2025-0189 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →