CVE-2025-10097
BaseFortify
Publication date: 2025-09-08
Last updated on: 2026-03-10
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sim | sim | 1.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-10097 is a remote code execution vulnerability in SimStudioAI's SIM software (up to version 1.0.0). It occurs in the API endpoint /api/function/execute, where a user-controlled parameter named 'code' is processed without any input validation, filtering, or escaping of special characters. This allows an attacker to inject and execute arbitrary JavaScript code remotely on the server, potentially running system commands with high privileges. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can severely impact you by allowing unauthenticated remote attackers to execute arbitrary code on the affected system. This can lead to full compromise of the system's confidentiality, integrity, and availability. Attackers can run system commands with root privileges, potentially stealing data, modifying or deleting information, disrupting services, or using the system as a foothold for further attacks. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint `/api/function/execute` containing a `code` parameter with potentially malicious JavaScript code. Network detection can involve inspecting HTTP traffic for such requests. On the server, logs of requests to this endpoint should be reviewed for unusual or unexpected code execution attempts. A specific detection method is to look for POST requests with JSON payloads containing the `code` parameter that includes JavaScript code or system command execution patterns. For example, using curl to test the endpoint with a benign payload or checking logs for payloads similar to the proof-of-concept exploit can help detect exploitation attempts. Example command to test the endpoint (do not run on production without authorization): ```bash curl -X POST https://<target>/api/function/execute -H 'Content-Type: application/json' -d '{"code":"return 1+1;","timeout":1000}' ``` Monitoring tools or intrusion detection systems can be configured to alert on POST requests to `/api/function/execute` containing suspicious `code` parameters. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or restricting access to the vulnerable API endpoint `/api/function/execute` to prevent remote exploitation. Since no known countermeasures or patches are currently available, it is recommended to replace or upgrade the affected component or product if a fixed version becomes available. Additionally, implementing network-level controls such as firewall rules to block unauthorized access to the endpoint, and applying strict input validation or sanitization on the `code` parameter if possible, can reduce risk. Monitoring and alerting on suspicious activity targeting this endpoint is also advised. Ultimately, removing or restricting the vulnerable functionality until a patch is released is the safest immediate action. [2]