CVE-2025-15099
Severity CVSS v4.0:
MEDIUM
Type:
CWE-287
Authentication Issues
Publication date:
26/12/2025
Last modified:
26/12/2025
Description
A vulnerability was identified in simstudioai sim up to 0.5.27. This vulnerability affects unknown code of the file apps/sim/lib/auth/internal.ts of the component CRON Secret Handler. The manipulation of the argument INTERNAL_API_SECRET leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the patch is e359dc2946b12ed5e45a0ec9c95ecf91bd18502a. Applying a patch is the recommended action to fix this issue.
Impact
Base Score 4.0
6.90
Severity 4.0
MEDIUM
Base Score 3.x
7.30
Severity 3.x
HIGH
Base Score 2.0
7.50
Severity 2.0
HIGH
References to Advisories, Solutions, and Tools
- https://gist.github.com/H2u8s/c533741e1b36f6245d41cace89a7f4d2
- https://gist.github.com/H2u8s/c533741e1b36f6245d41cace89a7f4d2#-steps-to-reproduce
- https://github.com/simstudioai/sim/commit/e359dc2946b12ed5e45a0ec9c95ecf91bd18502a
- https://github.com/simstudioai/sim/pull/2343
- https://vuldb.com/?ctiid_338430=
- https://vuldb.com/?id_338430=
- https://vuldb.com/?submit_710255=
- https://gist.github.com/H2u8s/c533741e1b36f6245d41cace89a7f4d2#-steps-to-reproduce