CVE-2024-12778 – This vulnerability allows attackers to cause de... (How to Fix)

📋 TL;DR

This vulnerability allows attackers to cause denial of service (DoS) by making API requests for large numbers of tracked metrics simultaneously. The Aim web server becomes unresponsive due to excessive resource consumption from unlimited metric requests. Anyone running Aim version 3.25.0 with the web API exposed is affected.

💻 Affected Systems

Products:

aimhubio/aim

Versions: Version 3.25.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with the Aim web API enabled and accessible.

📦 What is this software?

Aim by Aimstack

View all CVEs affecting Aim →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage where the Aim web server becomes completely unresponsive, requiring manual restart and potentially causing data loss or corruption.

🟠

Likely Case

Temporary service degradation or unavailability affecting users trying to access metrics through the web interface or API.

🟢

If Mitigated

Minimal impact with proper rate limiting and request size restrictions in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires knowledge of the API endpoints and ability to send crafted requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 3.25.0

Vendor Advisory: https://huntr.com/bounties/892a9eee-0251-4e57-94a4-dad2e7f32715

Restart Required: No

Instructions:

1. Update Aim to the latest version using pip: pip install --upgrade aim
2. Verify the version is greater than 3.25.0
3. No restart required as this is a Python package update

🔧 Temporary Workarounds

Implement API rate limiting

all

Add rate limiting to the Aim web API to prevent excessive requests

Add request size limits

all

Configure web server or reverse proxy to limit maximum request size

🧯 If You Can't Patch

Restrict network access to Aim web API using firewall rules
Implement monitoring for abnormal request patterns and alert on high metric retrieval volumes

🔍 How to Verify

Check if Vulnerable:

Check if running Aim version 3.25.0 by examining the installed package version

Check Version:

pip show aim | grep Version

Verify Fix Applied:

Verify Aim version is greater than 3.25.0 and test API with large metric requests

📡 Detection & Monitoring

Log Indicators:

Multiple rapid API requests for metrics
Server error logs showing timeouts or resource exhaustion
Increased CPU/memory usage on Aim server

Network Indicators:

High volume of requests to /api/metrics endpoints
Unusually large HTTP requests to Aim API

SIEM Query:

source="aim_logs" AND ("api/metrics" OR "timeout" OR "resource") AND count > 1000 per 1m

📊 Metadata

CVE ID: CVE-2024-12778

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

EPSS Score: 0.13% exploit probability (32.7th percentile)

Published: March 20, 2025

Last Updated: October 15, 2025

🔗 References

https://huntr.com/bounties/892a9eee-0251-4e57-94a4-dad2e7f32715 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12778, you might also want to check these: