AVID-2026-R1591

Description

Arbitrary File Overwrite through tarfile-extraction in aimhubio/aim (CVE-2024-6829)

Details

A vulnerability in aimhubio/aim version 3.19.3 allows an attacker to exploit the tarfile.extractall() function to extract the contents of a maliciously crafted tarfile to arbitrary locations on the host server. The attacker can control repo.path and run_hash to bypass directory existence checks and extract files to unintended locations, potentially overwriting critical files. This can lead to arbitrary data being written to arbitrary locations on the remote tracking server, which could be used for further attacks such as writing a new SSH key to the target server.

Reason for inclusion in AVID: CVE-2024-6829 describes an arbitrary file overwrite vulnerability in aimhubio/aim (version 3.19.3) via tarfile.extractall(), enabling an attacker to overwrite arbitrary files on the host by manipulating tar contents. This relates to AI tooling (an AI experiment/tracking server) used in AI pipelines. It affects a software component that could be part of the build/run/deploy stack for general-purpose AI systems, representing a software supply chain risk. The vulnerability is security-focused (data/host integrity, potential escalation), with CVSS 3.0 base score 9.1 and CWE-73. The report provides explicit details, impact, and references, supporting curation.

References

• NVD entry
• https://huntr.com/bounties/7c97065c-1b63-4982-82c1-8038be0ed570

Affected or Relevant Artifacts

• Developer: aimhubio
• Deployer: aimhubio
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2025-03-20
• Version: 0.3.3
• AVID Entry