{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-10096","assignerOrgId":"1af790b2-7ee1-4545-860a-a788eba489b5","state":"PUBLISHED","assignerShortName":"VulDB","dateReserved":"2025-09-08T09:54:42.157Z","datePublished":"2025-09-08T15:32:08.846Z","dateUpdated":"2025-09-08T15:54:31.292Z"},"containers":{"cna":{"providerMetadata":{"orgId":"1af790b2-7ee1-4545-860a-a788eba489b5","shortName":"VulDB","dateUpdated":"2025-09-08T15:32:08.846Z"},"title":"SimStudioAI sim route.ts server-side request forgery","problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-918","lang":"en","description":"Server-Side Request Forgery"}]}],"affected":[{"vendor":"SimStudioAI","product":"sim","versions":[{"version":"1.0","status":"affected"}]}],"descriptions":[{"lang":"en","value":"A vulnerability was determined in SimStudioAI sim up to 1.0.0. This affects an unknown function of the file apps/sim/app/api/files/parse/route.ts. Executing manipulation of the argument filePath can lead to server-side request forgery. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This patch is called 3424a338b763115f0269b209e777608e4cd31785. Applying a patch is advised to resolve this issue."},{"lang":"de","value":"Es wurde eine Schwachstelle in SimStudioAI sim bis 1.0.0 entdeckt. Es geht hierbei um eine nicht näher spezifizierte Funktion der Datei apps/sim/app/api/files/parse/route.ts. Durch das Manipulieren des Arguments filePath mit unbekannten Daten kann eine server-side request forgery-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Die Schwachstelle wurde öffentlich offengelegt und könnte ausgenutzt werden. Der Patch trägt den Namen 3424a338b763115f0269b209e777608e4cd31785. Es wird geraten, einen Patch zu installieren, um dieses Problem zu lösen."}],"metrics":[{"cvssV4_0":{"version":"4.0","baseScore":5.3,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P","baseSeverity":"MEDIUM"}},{"cvssV3_1":{"version":"3.1","baseScore":6.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C","baseSeverity":"MEDIUM"}},{"cvssV3_0":{"version":"3.0","baseScore":6.3,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C","baseSeverity":"MEDIUM"}},{"cvssV2_0":{"version":"2.0","baseScore":6.5,"vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}],"timeline":[{"time":"2025-09-08T00:00:00.000Z","lang":"en","value":"Advisory disclosed"},{"time":"2025-09-08T02:00:00.000Z","lang":"en","value":"VulDB entry created"},{"time":"2025-09-08T11:59:58.000Z","lang":"en","value":"VulDB entry last update"}],"credits":[{"lang":"en","value":"ZAST.AI (VulDB User)","type":"reporter"}],"references":[{"url":"https://vuldb.com/?id.323057","name":"VDB-323057 | SimStudioAI sim route.ts server-side request forgery","tags":["vdb-entry","technical-description"]},{"url":"https://vuldb.com/?ctiid.323057","name":"VDB-323057 | CTI Indicators (IOB, IOC, IOA)","tags":["signature","permissions-required"]},{"url":"https://vuldb.com/?submit.644953","name":"Submit #644953 | simstudioai https://github.com/simstudioai/sim <=1.0.0 SSRF","tags":["third-party-advisory"]},{"url":"https://github.com/simstudioai/sim/issues/960","tags":["exploit","issue-tracking"]},{"url":"https://github.com/simstudioai/sim/pull/1149","tags":["issue-tracking"]},{"url":"https://github.com/simstudioai/sim/commit/3424a338b763115f0269b209e777608e4cd31785","tags":["patch"]}],"tags":["x_open-source"]},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-09-08T15:53:26.453655Z","id":"CVE-2025-10096","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-09-08T15:54:31.292Z"}}]}}