We use cookies to improve your experience on our site.
AVID-2026-R1602
Description
CSRF in aimhubio/aim (CVE-2024-7760)
Details
aimhubio/aim version 3.22.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the tracking server. The vulnerability is due to overly permissive CORS settings, allowing cross-origin requests from all origins. This enables CSRF attacks on all endpoints of the tracking server, which can be chained with other existing vulnerabilities such as remote code execution, denial of service, and arbitrary file read/write.
Reason for inclusion in AVID: CVE-2024-7760 describes a CSRF vulnerability in aimhubio/aim, an AI experiment tracking/server. This software is commonly used within ML pipelines to build/train/deploy AI experiments, making it a component in the AI software supply chain. The issue arises from overly permissive CORS enabling CSRF across endpoints, with potential chaining to other vulnerabilities (e.g., RCE). The report provides CVSS details and references, giving concrete vulnerability behavior. Therefore it is relevant to AI systems and qualifies as a software supply-chain vulnerability in general-purpose AI stacks.
References
Affected or Relevant Artifacts
- Developer: aimhubio
- Deployer: aimhubio
- Artifact Details:
| Type | Name |
|---|---|
| System | aimhubio/aim |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.0 |
| Vector String | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N |
| Base Score | 7.4 |
| Base Severity | 🔴 High |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | REQUIRED |
| Scope | CHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | NONE |
| Availability Impact | NONE |
CWE
| ID | Description |
|---|---|
| CWE-352 | CWE-352 Cross-Site Request Forgery (CSRF) |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2025-03-20
- Version: 0.3.3
- AVID Entry