CVE-2025-51464: 
Python vulnerability analysis and mitigation

Cross-site Scripting (XSS) vulnerability was discovered in aimhubio Aim version 3.28.0, identified as CVE-2025-51464. The vulnerability allows remote attackers to execute arbitrary JavaScript in victims' browsers through malicious Python code submitted to the /api/reports endpoint. The submitted code is interpreted and executed by Pyodide when the report is viewed, with no sanitization or sandbox restrictions preventing JavaScript execution via pyodide.code.run_js() (NVD, Gecko Security).

The vulnerability stems from the /api/reports API endpoint which accepts user-supplied Python code in the code field of POST requests. The data flow begins when code is stored in the database without sanitization via the Report model. When retrieved, the code is embedded within a React component where the markdown renderer interprets code blocks with the 'aim' language tag. These code blocks are passed to the Board component for execution in Board.tsx, where Pyodide loads and executes the Python code without any restrictions on JavaScript execution through pyodide.code.run_js() (Gecko Security).

The vulnerability allows attackers to execute arbitrary JavaScript code in victims' browsers, enabling them to steal authentication cookies and tokens, access and exfiltrate sensitive information from the application, and make authenticated requests on behalf of victims (Gecko Security).

A fix has been implemented through a pull request that introduces validation functions to detect and block potentially malicious code containing calls like pyodide.code.runjs(). The patch specifically modifies the reportspostapi and reportsputapi functions in aim/web/api/reports/views.py to include the validatecode_safety check before saving or updating any code (GitHub PR).