CVE-2024-6483

Medium CVSS 5.3

Overview

A vulnerability in the `runs/delete-batch` endpoint of aimhubio/aim version 3.19.3 allows for arbitrary file or directory deletion through path traversal. The endpoint does not mitigate path traversal when handling user-specified run-names, which are used to specify log/metadata files for deletion. This can be exploited to delete arbitrary files or directories, potentially causing denial of service or data loss.

CWE: CWE-23 Published: 2025-03-20T10:15:32.863

Risk analysis

This vulnerability is rated 🟡 MEDIUM.

CVSS: 5.3 (MEDIUM)
Detected tags: dos, path (tag impact: MODERATE)

Recommended actions:

Rate limiting, resource quotas and circuit breakers.
Canonicalize path; block `..` traversal; use allowlists.

Overview

Recommended tools

Tags