Description
A vulnerability was identified in simstudioai sim up to 0.5.27. This vulnerability affects unknown code of the file apps/sim/lib/auth/internal.ts of the component CRON Secret Handler. The manipulation of the argument INTERNAL_API_SECRET leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the patch is e359dc2946b12ed5e45a0ec9c95ecf91bd18502a. Applying a patch is the recommended action to fix this issue.
Problem types
Product status
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.5.7
0.5.8
0.5.9
0.5.10
0.5.11
0.5.12
0.5.13
0.5.14
0.5.15
0.5.16
0.5.17
0.5.18
0.5.19
0.5.20
0.5.21
0.5.22
0.5.23
0.5.24
0.5.25
0.5.26
0.5.27
Timeline
| 2025-12-25: | Advisory disclosed |
| 2025-12-25: | VulDB entry created |
| 2025-12-25: | VulDB entry last update |
Credits
28Hus (VulDB User)
References
gist.github.com/H2u8s/c533741e1b36f6245d41cace89a7f4d2
vuldb.com/?id.338430 (VDB-338430 | simstudioai sim CRON Secret internal.ts improper authentication)
vuldb.com/?ctiid.338430 (VDB-338430 | CTI Indicators (IOB, IOC, IOA))
vuldb.com/?submit.710255 (Submit #710255 | https://github.com/simstudioai https://github.com/simstudioai/sim ≤ v0.5.21 Authentication Bypass by Primary Weakness)
gist.github.com/H2u8s/c533741e1b36f6245d41cace89a7f4d2
github.com/simstudioai/sim/pull/2343
gist.github.com/H2u8s/c533741e1b36f6245d41cace89a7f4d2
github.com/...ommit/e359dc2946b12ed5e45a0ec9c95ecf91bd18502a
Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.
