High severity7.3NVD Advisory· Published Dec 26, 2025· Updated Apr 29, 2026

CVE-2025-15099

Description

A vulnerability was identified in simstudioai sim up to 0.5.27. This vulnerability affects unknown code of the file apps/sim/lib/auth/internal.ts of the component CRON Secret Handler. The manipulation of the argument INTERNAL_API_SECRET leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the patch is e359dc2946b12ed5e45a0ec9c95ecf91bd18502a. Applying a patch is the recommended action to fix this issue.

Affected products

Sim/Sim
cpe:2.3:a:sim:sim:*:*:*:*:*:*:*:*
Range: <=0.5.27

Patches

e359dc2946b1

fix(cron): reject CRON requests when CRON secret is not set (#2343)

https://github.com/simstudioai/simWaleedDec 13, 2025via nvd-ref

commit PR #2343

2 files changed · +11 −1

apps/sim/app/api/workflows/middleware.ts+1 −1 modified

@@ -42,7 +42,7 @@ export async function validateWorkflowAccess(
       }
 
       const internalSecret = request.headers.get('X-Internal-Secret')
-      if (internalSecret === env.INTERNAL_API_SECRET) {
+      if (env.INTERNAL_API_SECRET && internalSecret === env.INTERNAL_API_SECRET) {
         return { workflow }
       }

apps/sim/lib/auth/internal.ts+10 −0 modified

@@ -69,6 +69,16 @@ export async function verifyInternalToken(
  * Returns null if authorized, or a NextResponse with error if unauthorized
  */
 export function verifyCronAuth(request: NextRequest, context?: string): NextResponse | null {
+  if (!env.CRON_SECRET) {
+    const contextInfo = context ? ` for ${context}` : ''
+    logger.warn(`CRON endpoint accessed but CRON_SECRET is not configured${contextInfo}`, {
+      ip: request.headers.get('x-forwarded-for') ?? request.headers.get('x-real-ip') ?? 'unknown',
+      userAgent: request.headers.get('user-agent') ?? 'unknown',
+      context,
+    })
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
   const authHeader = request.headers.get('authorization')
   const expectedAuth = `Bearer ${env.CRON_SECRET}`
   if (authHeader !== expectedAuth) {

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

github.com/simstudioai/sim/commit/e359dc2946b12ed5e45a0ec9c95ecf91bd18502anvdPatch
gist.github.com/H2u8s/c533741e1b36f6245d41cace89a7f4d2nvdExploitThird Party Advisory
gist.github.com/H2u8s/c533741e1b36f6245d41cace89a7f4d2nvdExploitThird Party Advisory
github.com/simstudioai/sim/pull/2343nvdExploitIssue Tracking
vuldb.comnvdThird Party AdvisoryVDB Entry
vuldb.comnvdThird Party AdvisoryVDB Entry
vuldb.comnvdPermissions RequiredVDB Entry

News mentions

No linked articles in our index yet.

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000