Vulnerabilites related to SimStudioAI - sim
CVE-2025-9805 (GCVE-0-2025-9805)
Vulnerability from cvelistv5
Published
2025-09-02 00:02
Modified
2025-09-02 19:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery
Summary
A vulnerability was found in SimStudioAI sim up to 51b1e97fa22c48d144aef75f8ca31a74ad2cfed2. This issue affects some unknown processing of the file apps/sim/app/api/proxy/image/route.ts. The manipulation results in server-side request forgery. The attack may be performed from remote. The exploit has been made public and could be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The patch is identified as 3424a338b763115f0269b209e777608e4cd31785. Applying a patch is advised to resolve this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://vuldb.com/?id.322129 | vdb-entry | |
| https://vuldb.com/?ctiid.322129 | signature, permissions-required | |
| https://vuldb.com/?submit.640821 | third-party-advisory | |
| https://github.com/simstudioai/sim/issues/1128 | issue-tracking | |
| https://github.com/simstudioai/sim/issues/1128#issuecomment-3226867869 | issue-tracking | |
| https://github.com/simstudioai/sim/issues/1128#issue-3349260976 | exploit, issue-tracking | |
| https://github.com/simstudioai/sim/commit/3424a338b763115f0269b209e777608e4cd31785 | patch |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SimStudioAI | sim |
Version: 51b1e97fa22c48d144aef75f8ca31a74ad2cfed2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9805",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-02T19:33:51.520410Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-02T19:34:20.352Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sim",
"vendor": "SimStudioAI",
"versions": [
{
"status": "affected",
"version": "51b1e97fa22c48d144aef75f8ca31a74ad2cfed2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "0x1f (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in SimStudioAI sim up to 51b1e97fa22c48d144aef75f8ca31a74ad2cfed2. This issue affects some unknown processing of the file apps/sim/app/api/proxy/image/route.ts. The manipulation results in server-side request forgery. The attack may be performed from remote. The exploit has been made public and could be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The patch is identified as 3424a338b763115f0269b209e777608e4cd31785. Applying a patch is advised to resolve this issue."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in SimStudioAI sim bis 51b1e97fa22c48d144aef75f8ca31a74ad2cfed2 entdeckt. Das betrifft eine unbekannte Funktionalit\u00e4t der Datei apps/sim/app/api/proxy/image/route.ts. Durch die Manipulation mit unbekannten Daten kann eine server-side request forgery-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Die Ausnutzung wurde ver\u00f6ffentlicht und kann verwendet werden. Dieses Produkt setzt Rolling Releases ein. Aus diesem Grund sind Details zu betroffenen oder zu aktualisierende Versionen nicht verf\u00fcgbar. Die Bezeichnung des Patches lautet 3424a338b763115f0269b209e777608e4cd31785. Es ist ratsam, einen Patch zu implementieren, um dieses Problem zu beheben."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-02T00:02:07.900Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-322129 | SimStudioAI sim route.ts server-side request forgery",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.322129"
},
{
"name": "VDB-322129 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.322129"
},
{
"name": "Submit #640821 | simstudioai sim latest Server-side request forgery",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.640821"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/simstudioai/sim/issues/1128"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/simstudioai/sim/issues/1128#issuecomment-3226867869"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/simstudioai/sim/issues/1128#issue-3349260976"
},
{
"tags": [
"patch"
],
"url": "https://github.com/simstudioai/sim/commit/3424a338b763115f0269b209e777608e4cd31785"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2025-09-01T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-09-01T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-09-01T16:57:17.000Z",
"value": "VulDB entry last update"
}
],
"title": "SimStudioAI sim route.ts server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-9805",
"datePublished": "2025-09-02T00:02:07.900Z",
"dateReserved": "2025-09-01T14:52:07.245Z",
"dateUpdated": "2025-09-02T19:34:20.352Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9801 (GCVE-0-2025-9801)
Vulnerability from cvelistv5
Published
2025-09-01 23:02
Modified
2025-09-02 19:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Path Traversal
Summary
A security vulnerability has been detected in SimStudioAI sim up to ed9b9ad83f1a7c61f4392787fb51837d34eeb0af. This affects an unknown part. The manipulation of the argument filePath leads to path traversal. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The identifier of the patch is 45372aece5e05e04b417442417416a52e90ba174. To fix this issue, it is recommended to deploy a patch.
References
| ▼ | URL | Tags |
|---|---|---|
| https://vuldb.com/?id.322116 | vdb-entry, technical-description | |
| https://vuldb.com/?ctiid.322116 | signature, permissions-required | |
| https://vuldb.com/?submit.641130 | third-party-advisory | |
| https://github.com/simstudioai/sim/issues/959 | issue-tracking | |
| https://github.com/simstudioai/sim/issues/959#issuecomment-3221311557 | issue-tracking | |
| https://github.com/simstudioai/sim/issues/959#issue-3320697951 | exploit, issue-tracking | |
| https://github.com/simstudioai/sim/commit/45372aece5e05e04b417442417416a52e90ba174 | patch |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SimStudioAI | sim |
Version: ed9b9ad83f1a7c61f4392787fb51837d34eeb0af |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9801",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-02T19:36:11.631728Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-02T19:41:17.897Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sim",
"vendor": "SimStudioAI",
"versions": [
{
"status": "affected",
"version": "ed9b9ad83f1a7c61f4392787fb51837d34eeb0af"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ZAST.AI (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in SimStudioAI sim up to ed9b9ad83f1a7c61f4392787fb51837d34eeb0af. This affects an unknown part. The manipulation of the argument filePath leads to path traversal. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The identifier of the patch is 45372aece5e05e04b417442417416a52e90ba174. To fix this issue, it is recommended to deploy a patch."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in SimStudioAI sim bis ed9b9ad83f1a7c61f4392787fb51837d34eeb0af gefunden. Hiervon betroffen ist ein unbekannter Codeblock. Durch Manipulation des Arguments filePath mit unbekannten Daten kann eine path traversal-Schwachstelle ausgenutzt werden. Ein Angriff ist aus der Distanz m\u00f6glich. Der Exploit wurde der \u00d6ffentlichkeit bekannt gemacht und k\u00f6nnte verwendet werden. Dieses Produkt verzichtet auf eine Versionierung und verwendet stattdessen Rolling Releases. Deshalb sind keine Details zu betroffenen oder zu aktualisierende Versionen vorhanden. Der Patch heisst 45372aece5e05e04b417442417416a52e90ba174. Es wird empfohlen, einen Patch anzuwenden, um dieses Problem zu beheben."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.5,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-01T23:02:06.763Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-322116 | SimStudioAI sim path traversal",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.322116"
},
{
"name": "VDB-322116 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.322116"
},
{
"name": "Submit #641130 | simstudioai https://github.com/simstudioai/sim \u003c=1.0.0 Arbitrary File Deletion",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.641130"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/simstudioai/sim/issues/959"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/simstudioai/sim/issues/959#issuecomment-3221311557"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/simstudioai/sim/issues/959#issue-3320697951"
},
{
"tags": [
"patch"
],
"url": "https://github.com/simstudioai/sim/commit/45372aece5e05e04b417442417416a52e90ba174"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2025-09-01T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-09-01T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-09-01T14:43:29.000Z",
"value": "VulDB entry last update"
}
],
"title": "SimStudioAI sim path traversal"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-9801",
"datePublished": "2025-09-01T23:02:06.763Z",
"dateReserved": "2025-09-01T12:38:22.365Z",
"dateUpdated": "2025-09-02T19:41:17.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9800 (GCVE-0-2025-9800)
Vulnerability from cvelistv5
Published
2025-09-01 22:32
Modified
2025-09-02 19:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A weakness has been identified in SimStudioAI sim up to ed9b9ad83f1a7c61f4392787fb51837d34eeb0af. Affected by this issue is the function Import of the file apps/sim/app/api/files/upload/route.ts of the component HTML File Parser. Executing manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. This patch is called 45372aece5e05e04b417442417416a52e90ba174. A patch should be applied to remediate this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://vuldb.com/?id.322115 | vdb-entry, technical-description | |
| https://vuldb.com/?ctiid.322115 | signature, permissions-required | |
| https://vuldb.com/?submit.641129 | third-party-advisory | |
| https://github.com/simstudioai/sim/issues/958 | issue-tracking | |
| https://github.com/simstudioai/sim/issues/958#issuecomment-3221311734 | issue-tracking | |
| https://github.com/simstudioai/sim/issues/958#issue-3320696271 | exploit, issue-tracking | |
| https://github.com/simstudioai/sim/commit/45372aece5e05e04b417442417416a52e90ba174 | patch |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SimStudioAI | sim |
Version: ed9b9ad83f1a7c61f4392787fb51837d34eeb0af |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9800",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-02T19:42:33.698817Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-02T19:45:42.085Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"HTML File Parser"
],
"product": "sim",
"vendor": "SimStudioAI",
"versions": [
{
"status": "affected",
"version": "ed9b9ad83f1a7c61f4392787fb51837d34eeb0af"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ZAST.AI (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in SimStudioAI sim up to ed9b9ad83f1a7c61f4392787fb51837d34eeb0af. Affected by this issue is the function Import of the file apps/sim/app/api/files/upload/route.ts of the component HTML File Parser. Executing manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. This patch is called 45372aece5e05e04b417442417416a52e90ba174. A patch should be applied to remediate this issue."
},
{
"lang": "de",
"value": "In SimStudioAI sim bis ed9b9ad83f1a7c61f4392787fb51837d34eeb0af ist eine Schwachstelle entdeckt worden. Davon betroffen ist die Funktion Import der Datei apps/sim/app/api/files/upload/route.ts der Komponente HTML File Parser. Durch die Manipulation des Arguments File mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. F\u00fcr dieses Produkt wird ein Rolling-Release-Ansatz verwendet, wodurch eine st\u00e4ndige Bereitstellung erfolgt. Daher sind keine Versionsdetails zu betroffenen oder aktualisierten Versionen vorhanden. Der Name des Patches ist 45372aece5e05e04b417442417416a52e90ba174. Als bestm\u00f6gliche Massnahme wird Patching empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Unrestricted Upload",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-01T22:32:06.885Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-322115 | SimStudioAI sim HTML File route.ts import unrestricted upload",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.322115"
},
{
"name": "VDB-322115 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.322115"
},
{
"name": "Submit #641129 | simstudioai https://github.com/simstudioai/sim \u003c=1.0.0 Dangerous type of file upload (CWE-434)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.641129"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/simstudioai/sim/issues/958"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/simstudioai/sim/issues/958#issuecomment-3221311734"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/simstudioai/sim/issues/958#issue-3320696271"
},
{
"tags": [
"patch"
],
"url": "https://github.com/simstudioai/sim/commit/45372aece5e05e04b417442417416a52e90ba174"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2025-09-01T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-09-01T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-09-01T14:43:28.000Z",
"value": "VulDB entry last update"
}
],
"title": "SimStudioAI sim HTML File route.ts import unrestricted upload"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-9800",
"datePublished": "2025-09-01T22:32:06.885Z",
"dateReserved": "2025-09-01T12:37:19.157Z",
"dateUpdated": "2025-09-02T19:45:42.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-7114 (GCVE-0-2025-7114)
Vulnerability from cvelistv5
Published
2025-07-07 05:32
Modified
2025-07-07 16:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A vulnerability was found in SimStudioAI sim up to 37786d371e17d35e0764e1b5cd519d873d90d97b. It has been declared as critical. Affected by this vulnerability is the function POST of the file apps/sim/app/api/files/upload/route.ts of the component Session Handler. The manipulation of the argument Request leads to missing authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
References
| ▼ | URL | Tags |
|---|---|---|
| https://vuldb.com/?id.315025 | vdb-entry, technical-description | |
| https://vuldb.com/?ctiid.315025 | signature, permissions-required | |
| https://vuldb.com/?submit.604898 | third-party-advisory | |
| https://github.com/vri-report/reports/issues/3 | exploit, issue-tracking |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SimStudioAI | sim |
Version: 37786d371e17d35e0764e1b5cd519d873d90d97b |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7114",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-07T16:51:08.632085Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T16:55:36.080Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Session Handler"
],
"product": "sim",
"vendor": "SimStudioAI",
"versions": [
{
"status": "affected",
"version": "37786d371e17d35e0764e1b5cd519d873d90d97b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in SimStudioAI sim up to 37786d371e17d35e0764e1b5cd519d873d90d97b. It has been declared as critical. Affected by this vulnerability is the function POST of the file apps/sim/app/api/files/upload/route.ts of the component Session Handler. The manipulation of the argument Request leads to missing authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "In SimStudioAI sim bis 37786d371e17d35e0764e1b5cd519d873d90d97b wurde eine kritische Schwachstelle ausgemacht. Es geht um die Funktion POST der Datei apps/sim/app/api/files/upload/route.ts der Komponente Session Handler. Durch das Manipulieren des Arguments Request mit unbekannten Daten kann eine missing authentication-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "Missing Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T05:32:05.686Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-315025 | SimStudioAI sim Session route.ts POST missing authentication",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.315025"
},
{
"name": "VDB-315025 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.315025"
},
{
"name": "Submit #604898 | Sim Studio AI Sim Studio git checkout 190f3f998a6d27ddfd21a0bf7d095fa81d5e9d28 Unauthorized file upload",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.604898"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/vri-report/reports/issues/3"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-07-06T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-07-06T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-07-06T07:53:42.000Z",
"value": "VulDB entry last update"
}
],
"title": "SimStudioAI sim Session route.ts POST missing authentication"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-7114",
"datePublished": "2025-07-07T05:32:05.686Z",
"dateReserved": "2025-07-06T05:48:08.635Z",
"dateUpdated": "2025-07-07T16:55:36.080Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-7107 (GCVE-0-2025-7107)
Vulnerability from cvelistv5
Published
2025-07-07 02:02
Modified
2025-07-07 15:37
Severity ?
5.5 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
5.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
5.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Path Traversal
Summary
A vulnerability classified as critical has been found in SimStudioAI sim up to 0.1.17. Affected is the function handleLocalFile of the file apps/sim/app/api/files/parse/route.ts. The manipulation of the argument filePath leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The patch is identified as b2450530d1ddd0397a11001a72aa0fde401db16a. It is recommended to apply a patch to fix this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://vuldb.com/?id.315018 | vdb-entry, technical-description | |
| https://vuldb.com/?ctiid.315018 | signature, permissions-required | |
| https://vuldb.com/?submit.601043 | third-party-advisory | |
| https://github.com/vri-report/reports/issues/2 | issue-tracking | |
| https://github.com/simstudioai/sim/pull/437 | issue-tracking | |
| https://github.com/vri-report/reports/issues/2#issue-3161840085 | exploit, issue-tracking | |
| https://github.com/simstudioai/sim/commit/b2450530d1ddd0397a11001a72aa0fde401db16a | patch |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SimStudioAI | sim |
Version: 0.1.0 Version: 0.1.1 Version: 0.1.2 Version: 0.1.3 Version: 0.1.4 Version: 0.1.5 Version: 0.1.6 Version: 0.1.7 Version: 0.1.8 Version: 0.1.9 Version: 0.1.10 Version: 0.1.11 Version: 0.1.12 Version: 0.1.13 Version: 0.1.14 Version: 0.1.15 Version: 0.1.16 Version: 0.1.17 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7107",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-07T15:37:09.983980Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T15:37:13.337Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/vri-report/reports/issues/2"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sim",
"vendor": "SimStudioAI",
"versions": [
{
"status": "affected",
"version": "0.1.0"
},
{
"status": "affected",
"version": "0.1.1"
},
{
"status": "affected",
"version": "0.1.2"
},
{
"status": "affected",
"version": "0.1.3"
},
{
"status": "affected",
"version": "0.1.4"
},
{
"status": "affected",
"version": "0.1.5"
},
{
"status": "affected",
"version": "0.1.6"
},
{
"status": "affected",
"version": "0.1.7"
},
{
"status": "affected",
"version": "0.1.8"
},
{
"status": "affected",
"version": "0.1.9"
},
{
"status": "affected",
"version": "0.1.10"
},
{
"status": "affected",
"version": "0.1.11"
},
{
"status": "affected",
"version": "0.1.12"
},
{
"status": "affected",
"version": "0.1.13"
},
{
"status": "affected",
"version": "0.1.14"
},
{
"status": "affected",
"version": "0.1.15"
},
{
"status": "affected",
"version": "0.1.16"
},
{
"status": "affected",
"version": "0.1.17"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "tool",
"value": "VulDB GitHub Commit Analyzer"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as critical has been found in SimStudioAI sim up to 0.1.17. Affected is the function handleLocalFile of the file apps/sim/app/api/files/parse/route.ts. The manipulation of the argument filePath leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The patch is identified as b2450530d1ddd0397a11001a72aa0fde401db16a. It is recommended to apply a patch to fix this issue."
},
{
"lang": "de",
"value": "Es wurde eine kritische Schwachstelle in SimStudioAI sim bis 0.1.17 entdeckt. Dabei betrifft es die Funktion handleLocalFile der Datei apps/sim/app/api/files/parse/route.ts. Dank der Manipulation des Arguments filePath mit unbekannten Daten kann eine path traversal-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Der Patch wird als b2450530d1ddd0397a11001a72aa0fde401db16a bezeichnet. Als bestm\u00f6gliche Massnahme wird Patching empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T02:02:07.997Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-315018 | SimStudioAI sim route.ts handleLocalFile path traversal",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.315018"
},
{
"name": "VDB-315018 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.315018"
},
{
"name": "Submit #601043 | SimStudioAI Sim \u003c=0.1.17 Absolute Path Traversal",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.601043"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/vri-report/reports/issues/2"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/simstudioai/sim/pull/437"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/vri-report/reports/issues/2#issue-3161840085"
},
{
"tags": [
"patch"
],
"url": "https://github.com/simstudioai/sim/commit/b2450530d1ddd0397a11001a72aa0fde401db16a"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-07-05T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-07-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-07-05T21:33:13.000Z",
"value": "VulDB entry last update"
}
],
"title": "SimStudioAI sim route.ts handleLocalFile path traversal"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-7107",
"datePublished": "2025-07-07T02:02:07.997Z",
"dateReserved": "2025-07-05T19:27:06.479Z",
"dateUpdated": "2025-07-07T15:37:13.337Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}