CVE-2025-51464: Aim vulnerable to Cross-site Scripting

July 22, 2025

Cross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox restrictions prevent JavaScript execution via pyodide.code.run_js().

References

github.com/advisories/GHSA-gmvv-rj92-9w35
github.com/aimhubio/aim
github.com/aimhubio/aim/pull/3333
nvd.nist.gov/vuln/detail/CVE-2025-51464
www.gecko.security/blog/cve-2025-51464

Code Behaviors & Features

Detect and mitigate CVE-2025-51464 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →