CVE-2025-51464
Published: 22 July 2025
Summary
CVE-2025-51464 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Aimstack Aim. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-51464 is a cross-site scripting vulnerability in Aim version 3.28.0 from aimhubio. It stems from insufficient input sanitization on the /api/reports endpoint, where submitted Python code is processed by Pyodide without sandbox restrictions, allowing direct calls to pyodide.code.run_js() that execute arbitrary JavaScript in the browser of anyone viewing the resulting report.
An unauthenticated remote attacker can submit malicious Python payloads to the endpoint. When a victim subsequently views the generated report, the embedded JavaScript executes with the victim's privileges, enabling theft of session data, account takeover, or other actions consistent with the CVSS 8.8 rating that reflects network attack vector, low complexity, and impacts to confidentiality, integrity, and availability.
The associated GitHub repository, pull request 3333, and Gecko Security analysis provide details on the affected code paths and remediation steps for the reported issue. The EPSS score has remained flat at 0.0188 with no material increase observed since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22341
Vulnerability details
Cross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation…
more
or sandbox restrictions prevent JavaScript execution via pyodide.code.run_js().
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS in public-facing /api/reports endpoint enables direct exploitation (T1190) and arbitrary JS execution in browser via Pyodide (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of Python code submitted to the /api/reports endpoint to block malicious payloads that invoke pyodide.code.run_js() for arbitrary JavaScript execution.
Mandates restrictions on mobile code execution, directly addressing the lack of sandboxing or controls preventing JavaScript run via Pyodide in the browser when viewing reports.
Enforces filtering of report content prior to processing by Pyodide to prevent cross-site scripting through unsanitized output execution in victims' browsers.