CVE-2025-51464 is a Cross-site Scripting (XSS) vulnerability affecting the Aim 3.28.0 product by aimhubio. The vulnerability arises from the way the application processes Python code submitted to its /api/reports endpoint. Specifically, the submitted Python code is executed client-side using Pyodide, a WebAssembly-based Python runtime that runs in the browser. The vulnerability exists because the application does not sanitize or restrict the Python code that can be submitted, allowing an attacker to embed malicious JavaScript code within the Python payload. This JavaScript is executed via Pyodide's run_js() function when the report is viewed by a victim. Since there are no sandboxing or sanitization mechanisms to prevent this JavaScript execution, an attacker can execute arbitrary scripts in the context of the victim’s browser session. This can lead to theft of session tokens, cookies, or other sensitive data, as well as potential manipulation of the user interface or further exploitation of the victim’s environment. The vulnerability does not require authentication to exploit, as it is triggered by submitting malicious code to the API endpoint and then having a victim view the resulting report. Although no known exploits are currently reported in the wild, the nature of the vulnerability and its ease of exploitation make it a significant threat. The lack of a CVSS score indicates it is a newly published vulnerability, reserved in June 2025 and published in July 2025, with no patches currently available. The vulnerability affects the Aim 3.28.0 version, but no other affected versions are specified.

For European organizations using Aim 3.28.0, this vulnerability poses a serious risk to confidentiality and integrity of user data. Since the malicious JavaScript executes in the victim’s browser, it can steal sensitive information such as authentication tokens, personal data, or internal application data. This could lead to unauthorized access to internal systems or data breaches. The ability to execute arbitrary scripts also allows attackers to perform phishing or social engineering attacks by manipulating the user interface. The vulnerability could disrupt business operations if exploited at scale, especially in sectors relying on Aim for reporting and analytics. Given the client-side execution, availability impact is limited but could be achieved through script-based denial-of-service attacks on the browser or application. The lack of authentication requirement for submission increases the attack surface, allowing external attackers to craft malicious reports that internal users might view. European organizations in regulated industries (finance, healthcare, government) face increased compliance risks if sensitive data is compromised. The threat is heightened by the absence of patches or mitigations at the time of publication.

Immediate mitigation should focus on restricting access to the /api/reports endpoint to trusted users only, implementing strict input validation and sanitization on submitted Python code to prevent injection of JavaScript via Pyodide. Organizations should consider disabling or limiting the use of Pyodide’s run_js() function until a secure patch is available. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in the browser context. Monitoring and logging access to the reports API and viewing activity can help detect suspicious behavior. User awareness training should emphasize caution when viewing reports from untrusted sources. Network segmentation and application-layer firewalls can limit exposure. Organizations should track vendor advisories for patches or updates addressing this vulnerability and apply them promptly once available. In the interim, consider alternative reporting tools or versions without this vulnerability if feasible.