AVID-2026-R1624

Description

Arbitrary File Deletion via Relative Path Traversal in aimhubio/aim (CVE-2024-8769)

Details

A vulnerability in the LockManager.release_locks function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The run_hash parameter, which is user-controllable, is concatenated without normalization as part of a path used to specify file deletion. This vulnerability is exposed through the Repo._close_run() method, which is accessible via the tracking server instruction API. As a result, an attacker can exploit this to delete any arbitrary file on the machine running the tracking server.

Reason for inclusion in AVID: The CVE describes an arbitrary file deletion via path traversal in the aimhubio/aim ML experiment tracking tool, a component commonly used in AI/ML workflows. This is a software supply-chain vulnerability within AI tooling (not hardware/firmware), affecting components used to build/train/deploy AI systems. The vulnerability is security-related (arbitrary file deletion) and the report provides direct details and CVE linkage, supporting curation.

References

• NVD entry
• https://huntr.com/bounties/59d3472f-f581-4beb-a090-afd36a00ecf7

Affected or Relevant Artifacts

• Developer: aimhubio
• Deployer: aimhubio
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2025-03-20
• Version: 0.3.3
• AVID Entry