CVE-2025-15099

Summary

A vulnerability was identified in simstudioai sim up to 0.5.27. This vulnerability affects unknown code of the file apps/sim/lib/auth/internal.ts of the component CRON Secret Handler. The manipulation of the argument INTERNAL_API_SECRET leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the patch is e359dc2946b12ed5e45a0ec9c95ecf91bd18502a. Applying a patch is the recommended action to fix this issue.

Affected Software

VendorProductVersion RangeStatus
simstudioaisim0.5.0affected
simstudioaisim0.5.1affected
simstudioaisim0.5.2affected
simstudioaisim0.5.3affected
simstudioaisim0.5.4affected
simstudioaisim0.5.5affected
simstudioaisim0.5.6affected
simstudioaisim0.5.7affected
simstudioaisim0.5.8affected
simstudioaisim0.5.9affected
simstudioaisim0.5.10affected
simstudioaisim0.5.11affected
simstudioaisim0.5.12affected
simstudioaisim0.5.13affected
simstudioaisim0.5.14affected
simstudioaisim0.5.15affected
simstudioaisim0.5.16affected
simstudioaisim0.5.17affected
simstudioaisim0.5.18affected
simstudioaisim0.5.19affected
simstudioaisim0.5.20affected
simstudioaisim0.5.21affected
simstudioaisim0.5.22affected
simstudioaisim0.5.23affected
simstudioaisim0.5.24affected
simstudioaisim0.5.25affected
simstudioaisim0.5.26affected
simstudioaisim0.5.27affected

Weaknesses

  • CWE-287: Improper Authentication

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

Additional References

References