CVE-2024-7760
Published: 20 March 2025
Summary
CVE-2024-7760 is a critical-severity CSRF (CWE-352) vulnerability in Aimstack Aim. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires establishment and enforcement of secure configuration settings for the tracking server to restrict CORS to trusted origins, directly addressing the overly permissive settings enabling CSRF.
Enforces approved information flow control policies that prohibit unauthorized cross-origin requests to all tracking server endpoints.
Validates information inputs such as origin headers or requires anti-CSRF tokens to block forged cross-site requests to the vulnerable endpoints.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vulnerability due to overly permissive CORS in the tracking server enables exploitation of a public-facing web application, facilitating unauthorized cross-origin requests to all endpoints that can chain to RCE, DoS, and arbitrary file read/write.
NVD Description
aimhubio/aim version 3.22.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the tracking server. The vulnerability is due to overly permissive CORS settings, allowing cross-origin requests from all origins. This enables CSRF attacks on all endpoints of the tracking server,…
more
which can be chained with other existing vulnerabilities such as remote code execution, denial of service, and arbitrary file read/write.
Deeper analysisAI
CVE-2024-7760 is a Cross-Site Request Forgery (CSRF) vulnerability in aimhubio/aim version 3.22.0, affecting the tracking server component. The flaw arises from overly permissive CORS settings that allow cross-origin requests from all origins, enabling CSRF attacks on all endpoints of the tracking server. Published on 2025-03-20, it carries a CVSS score of 9.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and maps to CWE-352.
The vulnerability can be exploited by remote attackers with network access and no privileges required, though it relies on user interaction such as visiting a malicious webpage. This setup allows attackers to forge requests from a victim's browser to the tracking server, performing unauthorized actions on the user's behalf across all endpoints. Exploitation can be chained with other existing vulnerabilities in the software to achieve remote code execution, denial of service, or arbitrary file read/write capabilities.
Mitigation details and additional advisory information are available in the Huntr bounty report at https://huntr.com/bounties/2038df5f-4829-4040-8573-67bf9bb89229.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Aim (aimhubio/aim) is an open-source experiment tracking platform for AI/ML workflows, fitting 'Other Platforms' as it supports ML experiment management but does not match specific framework/library categories.