CVE-2025-15099
Unknown Unknown - Not Provided
Improper Authentication in simstudioai CRON Secret Handler

Publication date: 2025-12-26

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in simstudioai sim up to 0.5.27. This vulnerability affects unknown code of the file apps/sim/lib/auth/internal.ts of the component CRON Secret Handler. The manipulation of the argument INTERNAL_API_SECRET leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the patch is e359dc2946b12ed5e45a0ec9c95ecf91bd18502a. Applying a patch is the recommended action to fix this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-26
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-26
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15099
EUVD
EUVD-2025-205425
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
simstudioai sim 0.5.0
simstudioai sim 0.5.27
simstudioai sim 0.5.21
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-15099 is a critical authentication bypass vulnerability in the simstudioai sim software (up to version 0.5.27). It occurs in the CRON Secret Handler component, specifically in the file apps/sim/lib/auth/internal.ts. The vulnerability arises because the system improperly handles the INTERNAL_API_SECRET argument, allowing attackers to bypass authentication if this secret is missing, undefined, or empty. This flaw enables remote attackers to access internal API routes, such as cron endpoints and workflow executions, without proper authorization. Exploits are publicly available, making it easy for attackers to trigger scheduled workflows, manipulate logs, and potentially cause denial-of-service or data corruption. [1, 3, 4]

Impact Analysis

This vulnerability can have severe impacts including unauthorized triggering of all enabled scheduled workflows, leading to resource exhaustion and repeated execution of business logic. Attackers can manipulate or delete sensitive workflow execution logs, tamper with external integrations like Microsoft Teams webhooks, and cause system instability or denial-of-service conditions. Although attackers cannot create new workflows, they can prematurely trigger existing ones and inject false error data into logs. Overall, it compromises confidentiality, integrity, and availability of the affected system. [1, 4]

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or suspicious requests to internal API endpoints, especially those involving CRON jobs or workflow executions. Specifically, look for requests with headers such as `Authorization: Bearer undefined` or `X-Internal-Secret: undefined`, which indicate attempts to bypass authentication due to missing or undefined secrets. You can use network traffic inspection tools like tcpdump or Wireshark to capture HTTP requests targeting endpoints like `/api/schedules/execute`, `/api/logs/cleanup`, `/api/cron/renew-subscriptions`, and `/api/webhooks/*`. Example commands include: 1. Using curl to test if the endpoint improperly accepts requests without valid secrets: ```bash curl -H "Authorization: Bearer undefined" https://your-sim-instance/api/schedules/execute -v ``` 2. Using tcpdump to capture suspicious HTTP requests: ```bash sudo tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep -E 'Authorization: Bearer undefined|X-Internal-Secret: undefined' ``` 3. Checking application logs for warnings or unauthorized access attempts related to missing CRON_SECRET or INTERNAL_API_SECRET environment variables. These methods help identify if the system is vulnerable or being targeted by exploit attempts. [4]

Mitigation Strategies

The immediate mitigation step is to apply the official patch identified by commit ID e359dc2946b12ed5e45a0ec9c95ecf91bd18502a, which enforces strict authentication checks on CRON and internal API endpoints. Additionally, ensure that the environment variables `INTERNAL_API_SECRET` and `CRON_SECRET` are properly set with strong, secret values in your deployment environment. If these secrets are not configured, the patched system will reject requests with HTTP 401 Unauthorized responses, preventing unauthorized access. Also, review and update your deployment configurations (e.g., Docker compose files) to include these secrets explicitly. Monitor logs for unauthorized access attempts and consider temporarily restricting network access to internal API endpoints until the patch and configuration are applied. [2, 5]

Compliance Impact

The vulnerability allows unauthorized remote attackers to bypass authentication and potentially access or manipulate internal API endpoints, including scheduled workflows and sensitive logs. This can lead to unauthorized access to sensitive data, data corruption, and denial-of-service conditions. Such unauthorized access and potential data breaches could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data. However, the provided resources do not explicitly discuss compliance impacts or regulatory considerations. [1, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15099. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart