Miggo Logo
Miggo Vulnerability Database
CVE-2025-51464

CVE-2025-51464: Aim vulnerable to Cross-site Scripting

N/A

CVSS Score

Basic Information

CVE ID
CVE-2025-51464
GHSA ID
GHSA-gmvv-rj92-9w35
EPSS Score
-
CWE
CWE-79
Published
7/22/2025
Updated
7/22/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
aimpip<= 3.30.0.dev20250611

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability, identified as CVE-2025-51464, is a Cross-site Scripting (XSS) flaw in the Aim platform. The core of the issue lies in the application's failure to sanitize user-submitted Python code that is intended for inclusion in reports. This unsanitized code is later executed by the Pyodide engine in the browser when a user views a report, allowing for arbitrary JavaScript execution.

The investigation into the provided patch, commit 308edd91a6a0208ae7af36807c5a795af68bb303, reveals the exact point of failure and the subsequent remediation. The patch introduces a new validation function, validate_code_safety, into aim/web/api/reports/views.py. This function is designed to detect and block potentially malicious code containing calls like pyodide.code.run_js().

The critical change is the application of this validation function within two specific API endpoint handlers in the same file:

  1. reports_post_api: This function is responsible for creating new reports. Prior to the patch, it directly accepted user input from request_data.code and stored it. The patch integrates validate_code_safety to check the code before it is saved.

  2. reports_put_api: This function handles the updating of existing reports. It was similarly flawed, allowing an attacker to inject malicious code into an existing report. The patch applies the same validation logic to the update process.

These two functions served as the entry points for the malicious code. By not validating the input, they permitted an attacker to store a payload. While the actual execution (the "sink") happens on the frontend in a component like Board.tsx (as noted in the pull request description), the identified functions are the vulnerable ones from a backend perspective because they are responsible for processing and storing the untrusted, malicious input. The applied fix addresses the vulnerability at the source, preventing the malicious data from ever entering the system.

Vulnerable functions

reports_post_api
aim/web/api/reports/views.py
This function handles the creation of new reports. It was vulnerable because it accepted user-provided Python code in the `code` field of a POST request to `/api/reports` without any validation. This allowed an attacker to save malicious code that would later be executed by Pyodide in the victim's browser, leading to Cross-site Scripting (XSS). The patch added a call to `validate_code_safety` to sanitize the input.
reports_put_api
aim/web/api/reports/views.py
This function handles updates to existing reports. It was vulnerable because it allowed an attacker to submit malicious Python code via a PUT request to `/api/reports/{report_id}` to update the `code` field. This code was not sanitized and would be executed upon viewing the report, causing XSS. The patch added a call to `validate_code_safety` to prevent storing malicious code.

WAF Protection Rules

WAF Rule

*ross-sit* S*riptin* (XSS) in *im*u*io *im *.**.* *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry J*v*S*ript in vi*tims *rows*rs vi* m*li*ious Pyt*on *o** su*mitt** to t** /*pi/r*ports *n*point, w*i** is int*rpr*t** *n* *x**ut** *y Pyo*i** w**n t** r*po

Reasoning

T** vuln*r**ility, i**nti*i** *s *V*-****-*****, is * *ross-sit* S*riptin* (XSS) *l*w in t** *im pl*t*orm. T** *or* o* t** issu* li*s in t** *ppli**tion's **ilur* to s*nitiz* us*r-su*mitt** Pyt*on *o** t**t is int*n*** *or in*lusion in r*ports. T*is