CVE-2025-0190

In version 3.25.0 of aimhubio/aim, a denial of service vulnerability exists. By tracking a large number of `Text` objects and then querying them simultaneously through the web API, the Aim web server becomes unresponsive to other requests for an extended period while processing and returning these objects. This vulnerability can be exploited repeatedly, leading to a complete denial of service.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/38d151f1-abb4-443a-86b0-6c26f0c6cb70	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:aimstack:aim:3.25.0:*:*:*:*:*:*:*

History

28 Mar 2025, 14:28

Type	Values Removed	Values Added
CWE		NVD-CWE-Other
Summary		(es) En la versión 3.25.0 de aimhubio/aim, existe una vulnerabilidad de denegación de servicio. Al rastrear una gran cantidad de objetos `Text` y consultarlos simultáneamente a través de la API web, el servidor web de Aim deja de responder a otras solicitudes durante un período prolongado mientras procesa y devuelve estos objetos. Esta vulnerabilidad puede explotarse repetidamente, lo que provoca una denegación de servicio completa.
First Time		Aimstack Aimstack aim
References	~~() https://huntr.com/bounties/38d151f1-abb4-443a-86b0-6c26f0c6cb70 -~~	() https://huntr.com/bounties/38d151f1-abb4-443a-86b0-6c26f0c6cb70 - Exploit, Third Party Advisory
CPE		cpe:2.3:a:aimstack:aim:3.25.0:::::::*

20 Mar 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-20 10:15

Updated : 2025-03-28 14:28

NVD link : CVE-2025-0190

Mitre link : CVE-2025-0190

CVE.ORG link : CVE-2025-0190

JSON object : View

Products Affected

aimstack

aim

CWE

CWE-1049

Excessive Data Query Operations in a Large Data Table

NVD-CWE-Other

{"id": "CVE-2025-0190", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-03-20T10:15:51.780", "references": [{"url": "https://huntr.com/bounties/38d151f1-abb4-443a-86b0-6c26f0c6cb70", "tags": ["Exploit", "Third Party Advisory"], "source": "security@huntr.dev"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-1049"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "In version 3.25.0 of aimhubio/aim, a denial of service vulnerability exists. By tracking a large number of `Text` objects and then querying them simultaneously through the web API, the Aim web server becomes unresponsive to other requests for an extended period while processing and returning these objects. This vulnerability can be exploited repeatedly, leading to a complete denial of service."}, {"lang": "es", "value": "En la versi\u00f3n 3.25.0 de aimhubio/aim, existe una vulnerabilidad de denegaci\u00f3n de servicio. Al rastrear una gran cantidad de objetos `Text` y consultarlos simult\u00e1neamente a trav\u00e9s de la API web, el servidor web de Aim deja de responder a otras solicitudes durante un per\u00edodo prolongado mientras procesa y devuelve estos objetos. Esta vulnerabilidad puede explotarse repetidamente, lo que provoca una denegaci\u00f3n de servicio completa."}], "lastModified": "2025-03-28T14:28:25.273", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:aimstack:aim:3.25.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A9850B23-8420-4636-8BCF-DBFB56C51026"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}