{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-15099","assignerOrgId":"1af790b2-7ee1-4545-860a-a788eba489b5","state":"PUBLISHED","assignerShortName":"VulDB","dateReserved":"2025-12-25T16:18:38.982Z","datePublished":"2025-12-26T04:02:07.111Z","dateUpdated":"2025-12-26T15:04:35.405Z"},"containers":{"cna":{"providerMetadata":{"orgId":"1af790b2-7ee1-4545-860a-a788eba489b5","shortName":"VulDB","dateUpdated":"2025-12-26T04:02:07.111Z"},"title":"simstudioai sim CRON Secret internal.ts improper authentication","problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-287","lang":"en","description":"Improper Authentication"}]}],"affected":[{"vendor":"simstudioai","product":"sim","versions":[{"version":"0.5.0","status":"affected"},{"version":"0.5.1","status":"affected"},{"version":"0.5.2","status":"affected"},{"version":"0.5.3","status":"affected"},{"version":"0.5.4","status":"affected"},{"version":"0.5.5","status":"affected"},{"version":"0.5.6","status":"affected"},{"version":"0.5.7","status":"affected"},{"version":"0.5.8","status":"affected"},{"version":"0.5.9","status":"affected"},{"version":"0.5.10","status":"affected"},{"version":"0.5.11","status":"affected"},{"version":"0.5.12","status":"affected"},{"version":"0.5.13","status":"affected"},{"version":"0.5.14","status":"affected"},{"version":"0.5.15","status":"affected"},{"version":"0.5.16","status":"affected"},{"version":"0.5.17","status":"affected"},{"version":"0.5.18","status":"affected"},{"version":"0.5.19","status":"affected"},{"version":"0.5.20","status":"affected"},{"version":"0.5.21","status":"affected"},{"version":"0.5.22","status":"affected"},{"version":"0.5.23","status":"affected"},{"version":"0.5.24","status":"affected"},{"version":"0.5.25","status":"affected"},{"version":"0.5.26","status":"affected"},{"version":"0.5.27","status":"affected"}],"modules":["CRON Secret Handler"]}],"descriptions":[{"lang":"en","value":"A vulnerability was identified in simstudioai sim up to 0.5.27. This vulnerability affects unknown code of the file apps/sim/lib/auth/internal.ts of the component CRON Secret Handler. The manipulation of the argument INTERNAL_API_SECRET leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the patch is e359dc2946b12ed5e45a0ec9c95ecf91bd18502a. Applying a patch is the recommended action to fix this issue."}],"metrics":[{"cvssV4_0":{"version":"4.0","baseScore":6.9,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P","baseSeverity":"MEDIUM"}},{"cvssV3_1":{"version":"3.1","baseScore":7.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C","baseSeverity":"HIGH"}},{"cvssV3_0":{"version":"3.0","baseScore":7.3,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C","baseSeverity":"HIGH"}},{"cvssV2_0":{"version":"2.0","baseScore":7.5,"vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}],"timeline":[{"time":"2025-12-25T00:00:00.000Z","lang":"en","value":"Advisory disclosed"},{"time":"2025-12-25T01:00:00.000Z","lang":"en","value":"VulDB entry created"},{"time":"2025-12-25T17:23:43.000Z","lang":"en","value":"VulDB entry last update"}],"credits":[{"lang":"en","value":"28Hus (VulDB User)","type":"reporter"}],"references":[{"url":"https://vuldb.com/?id.338430","name":"VDB-338430 | simstudioai sim CRON Secret internal.ts improper authentication","tags":["vdb-entry","technical-description"]},{"url":"https://vuldb.com/?ctiid.338430","name":"VDB-338430 | CTI Indicators (IOB, IOC, IOA)","tags":["signature","permissions-required"]},{"url":"https://vuldb.com/?submit.710255","name":"Submit #710255 | https://github.com/simstudioai https://github.com/simstudioai/sim ≤ v0.5.21 Authentication Bypass by Primary Weakness","tags":["third-party-advisory"]},{"url":"https://gist.github.com/H2u8s/c533741e1b36f6245d41cace89a7f4d2","tags":["related"]},{"url":"https://github.com/simstudioai/sim/pull/2343","tags":["issue-tracking"]},{"url":"https://gist.github.com/H2u8s/c533741e1b36f6245d41cace89a7f4d2#-steps-to-reproduce","tags":["exploit"]},{"url":"https://github.com/simstudioai/sim/commit/e359dc2946b12ed5e45a0ec9c95ecf91bd18502a","tags":["patch"]}],"tags":["x_open-source"]},"adp":[{"references":[{"url":"https://gist.github.com/H2u8s/c533741e1b36f6245d41cace89a7f4d2#-steps-to-reproduce","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-12-26T15:02:42.461328Z","id":"CVE-2025-15099","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-12-26T15:04:35.405Z"}}]}}