CVE-2024-6851

Published: Mar 20, 2025
Updated: Jun 30, 2025
CVE: <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-6851" target="_blank" rel="noopener"> CVE-2024-6851
GHSA: <a href="https://github.com/advisories/GHSA-mrvr-7493-pfq3" target="_blank" rel="noopener"> GHSA-mrvr-7493-pfq3
Severity: High
Exploit:

In version 3.22.0 of aimhubio/aim, the LocalFileManager._cleanup function in the aim tracking server accepts a user-specified glob-pattern for deleting files. The function does not verify that the matched files are within the directory managed by LocalFileManager, allowing a maliciously crafted glob-pattern to lead to arbitrary file deletion.