GHSA-gmvv-rj92-9w35

Source

https://github.com/advisories/GHSA-gmvv-rj92-9w35

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-gmvv-rj92-9w35/GHSA-gmvv-rj92-9w35.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-gmvv-rj92-9w35

Aliases

CVE-2025-51464

Published

2025-07-22T18:30:42Z

Modified

2025-07-22T21:12:27.493608Z

Severity

5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

Aim vulnerable to Cross-site Scripting

Details

Cross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox restrictions prevent JavaScript execution via pyodide.code.run_js().

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-22T20:48:43Z",
    "severity": "MODERATE",
    "nvd_published_at": "2025-07-22T18:15:36Z",
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

PyPI / aim

Package

Name: aim; View open source insights on deps.dev
Purl: pkg:pypi/aim

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

3.30.0.dev20250611

Affected versions

2.*

2.0.19

2.0.20

2.0.21

2.0.22

2.0.23

2.0.24

2.0.25

2.0.26

2.0.27

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.2.0

2.2.1

2.3.0

2.4.0

2.5.0

2.6.0

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.1.0

3.1.1

3.2.0

3.2.1

3.2.2

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.4.0

3.4.1

3.5.0

3.5.1

3.5.2

3.5.3

3.5.4

3.6.0

3.6.1

3.6.2

3.6.3

3.7.0

3.7.1

3.7.2

3.7.3

3.7.4

3.7.5

3.8.0

3.8.1

3.9.0a1

3.9.0a14

3.9.2

3.9.3

3.9.4

3.10.0.dev9

3.10.0

3.10.1

3.10.2

3.10.3

3.11.0.dev4

3.11.0

3.11.1.dev1

3.11.1

3.11.2

3.12.0.dev2

3.12.0

3.12.1

3.12.2

3.13.0

3.13.1

3.13.2

3.13.3

3.13.4

3.14.0

3.14.1

3.14.2

3.14.3

3.14.4

3.15.0

3.15.1

3.15.2

3.16.0

3.16.1

3.16.2

3.17.0

3.17.1

3.17.2

3.17.3

3.17.4

3.17.5rc1

3.17.5rc2

3.17.5rc3

3.17.5rc4

3.17.5

3.18.0.dev2

3.18.0.dev3

3.18.0.dev4

3.18.0.dev5

3.18.0

3.18.1

3.19.0

3.19.1

3.19.2

3.19.3

3.20.1

3.21.0

3.22.0

3.23.0

3.24.0

3.25.0

3.25.1

3.26.0.dev1

3.26.1

3.27.0

3.28.0

3.29.0.dev20250321

3.29.0.dev20250322

3.29.0.dev20250323

3.29.0.dev20250324

3.29.0.dev20250327

3.29.0.dev20250328

3.29.0.dev20250329

3.29.0.dev20250330

3.29.0.dev20250331

3.29.0.dev20250401

3.29.0.dev20250402

3.29.0.dev20250403

3.29.0.dev20250404

3.29.0.dev20250405

3.29.0.dev20250406

3.29.0.dev20250407

3.29.0.dev20250408

3.29.0.dev20250409

3.29.0.dev20250410

3.29.0.dev20250411

3.29.0.dev20250412

3.29.0.dev20250413

3.29.0.dev20250414

3.29.0.dev20250415

3.29.0.dev20250416

3.29.0.dev20250417

3.29.0.dev20250418

3.29.0.dev20250419

3.29.0.dev20250420

3.29.0

3.29.1

3.30.0.dev20250508

3.30.0.dev20250509

3.30.0.dev20250510

3.30.0.dev20250511

3.30.0.dev20250512

3.30.0.dev20250513

3.30.0.dev20250514

3.30.0.dev20250515

3.30.0.dev20250516

3.30.0.dev20250517

3.30.0.dev20250518

3.30.0.dev20250519

3.30.0.dev20250520

3.30.0.dev20250521

3.30.0.dev20250522

3.30.0.dev20250523

3.30.0.dev20250524

3.30.0.dev20250525

3.30.0.dev20250526

3.30.0.dev20250527

3.30.0.dev20250528

3.30.0.dev20250529

3.30.0.dev20250530

3.30.0.dev20250531

3.30.0.dev20250601

3.30.0.dev20250602

3.30.0.dev20250603

3.30.0.dev20250604

3.30.0.dev20250605

3.30.0.dev20250606

3.30.0.dev20250607

3.30.0.dev20250608

3.30.0.dev20250609

3.30.0.dev20250610

3.30.0.dev20250611

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-gmvv-rj92-9w35/GHSA-gmvv-rj92-9w35.json"