CVE-2025-0189
Published: 20 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-0189 is a denial-of-service vulnerability in version 3.25.0 of aimhubio/aim, specifically affecting the tracking server component. The issue stems from the server overriding the maximum size limit for WebSocket messages, which allows clients to send very large images for tracking. Processing these oversized images causes the server to become unresponsive to other requests, leading to a denial-of-service condition. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-770.
Any unauthenticated attacker with network access to the tracking server can exploit this vulnerability by transmitting a very large image via WebSocket. The server will attempt to process the oversized payload, consuming resources and rendering it unresponsive to legitimate requests, thereby disrupting service availability for all users.
Mitigation details and additional information are available in the advisory published on Huntr at https://huntr.com/bounties/e4c9bf41-72cf-4d04-baaf-8f12b5b7926e.
Details
- CWE(s)
Affected Products
AI Security Analysis
- AI Category
- Other Platforms
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- Aim (aimhubio/aim) is an open-source experiment tracking platform for AI/ML workflows, used to log metrics, images, and artifacts during ML experiments, fitting under Other Platforms.
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability enables denial of service by exploiting the tracking server's lack of websocket message size limits, causing unresponsiveness during large image processing, directly facilitating T1499.004 (Application or System Exploitation).