CVE-2025-15099CRITICAL 9.8EPSS p49.2%

CVE-2025-15099CVE-2025-15099

Description

A vulnerability was identified in simstudioai sim up to 0.5.27. This vulnerability affects unknown code of the file apps/sim/lib/auth/internal.ts of the component CRON Secret Handler. The manipulation of the argument INTERNAL_API_SECRET leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the patch is e359dc2946b12ed5e45a0ec9c95ecf91bd18502a. Applying a patch is the recommended action to fix this issue.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.73% probability of exploitation · percentile 49.2% · 2026-06-19T12:03:05Z
Published2025-12-26
Last modified2026-04-29

Underlying weaknesses· 1

CWE-287

References

  1. https://gist.github.com/H2u8s/c533741e1b36f6245d41cace89a7f4d2
  2. https://gist.github.com/H2u8s/c533741e1b36f6245d41cace89a7f4d2#-steps-to-reproduce
  3. https://github.com/simstudioai/sim/commit/e359dc2946b12ed5e45a0ec9c95ecf91bd18502a
  4. https://github.com/simstudioai/sim/pull/2343
  5. https://vuldb.com/?ctiid.338430
  6. https://vuldb.com/?id.338430
  7. https://vuldb.com/?submit.710255
  8. https://gist.github.com/H2u8s/c533741e1b36f6245d41cace89a7f4d2#-steps-to-reproduce

1

TypeTargetConfidenceTier
WeaknessImproper Authenticationcwe-2870%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-10097
CVE
CVE-2025-9801
CVE
CVE-2026-3432
CVE
CVE-2026-3431
CVE
CVE-2025-55319
CVE
CVE-2025-66698
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.