{"id":"GHSA-6w7p-xrvp-p7xv","summary":"Aim allows denial of service due to no timeouts for some tracking server endpoints","details":"In version 3.23.0 of aimhubio/aim, certain methods that request data from external servers do not have set timeouts, causing the server to wait indefinitely for a response. This can lead to a denial of service, as the tracking server does not respond to other requests while waiting. The issue arises in the client used by the `aim` tracking server to communicate with external resources, specifically in the `_run_read_instructions` method and similar calls without timeouts.","aliases":["CVE-2024-8061"],"modified":"2025-10-16T07:56:41.256036Z","published":"2025-03-20T12:32:47Z","database_specific":{"github_reviewed":true,"github_reviewed_at":"2025-03-21T21:24:33Z","cwe_ids":["CWE-1088","CWE-400"],"severity":"HIGH","nvd_published_at":"2025-03-20T10:15:40Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-8061"},{"type":"PACKAGE","url":"https://github.com/aimhubio/aim"},{"type":"WEB","url":"https://github.com/aimhubio/aim/blob/a6c6f2fee0f1abe37c1d66701b0329fb6af31a3d/aim/ext/transport/client.py#L258"},{"type":"WEB","url":"https://huntr.com/bounties/c85d005c-b354-4c51-a88f-adda2f09622b"}],"affected":[{"package":{"name":"aim","ecosystem":"PyPI","purl":"pkg:pypi/aim"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"3.23.0"}]}],"versions":["2.0.19","2.0.20","2.0.21","2.0.22","2.0.23","2.0.24","2.0.25","2.0.26","2.0.27","2.1.0","2.1.1","2.1.2","2.1.3","2.1.4","2.1.5","2.1.6","2.2.0","2.2.1","2.3.0","2.4.0","2.5.0","2.6.0","2.7.0","2.7.1","2.7.2","2.7.3","2.7.4","3.0.0","3.0.1","3.0.2","3.0.3","3.0.4","3.0.5","3.0.6","3.0.7","3.1.0","3.1.1","3.10.0","3.10.0.dev9","3.10.1","3.10.2","3.10.3","3.11.0","3.11.0.dev4","3.11.1","3.11.1.dev1","3.11.2","3.12.0","3.12.0.dev2","3.12.1","3.12.2","3.13.0","3.13.1","3.13.2","3.13.3","3.13.4","3.14.0","3.14.1","3.14.2","3.14.3","3.14.4","3.15.0","3.15.1","3.15.2","3.16.0","3.16.1","3.16.2","3.17.0","3.17.1","3.17.2","3.17.3","3.17.4","3.17.5","3.17.5rc1","3.17.5rc2","3.17.5rc3","3.17.5rc4","3.18.0","3.18.0.dev2","3.18.0.dev3","3.18.0.dev4","3.18.0.dev5","3.18.1","3.19.0","3.19.1","3.19.2","3.19.3","3.2.0","3.2.1","3.2.2","3.20.1","3.21.0","3.22.0","3.23.0","3.3.0","3.3.1","3.3.2","3.3.3","3.3.4","3.3.5","3.4.0","3.4.1","3.5.0","3.5.1","3.5.2","3.5.3","3.5.4","3.6.0","3.6.1","3.6.2","3.6.3","3.7.0","3.7.1","3.7.2","3.7.3","3.7.4","3.7.5","3.8.0","3.8.1","3.9.0a1","3.9.0a14","3.9.2","3.9.3","3.9.4"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-6w7p-xrvp-p7xv/GHSA-6w7p-xrvp-p7xv.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}