How to fix CVE-2025-9805?

Within 30 days: Identify affected systems running SimStudioAI sim and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Is Sim affected by CVE-2025-9805?

Organizations using SimStudioAI sim should be aware of moderate risk from CVE-2025-9805, a server-side request forgery vulnerability rated CVSS 5.3. Users could be tricked into performing unintended actions. Proof-of-concept code is publicly available.

CVE-2025-9805

MEDIUM

2025-09-02 [email protected]

5.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:10 vuln.today

Patch Released

Mar 28, 2026 - 19:10 nvd

Patch available

PoC Detected

Nov 14, 2025 - 20:34 vuln.today

Public exploit code

CVE Published

Sep 02, 2025 - 01:15 nvd

MEDIUM 5.3

Description

A vulnerability was found in SimStudioAI sim up to 51b1e97fa22c48d144aef75f8ca31a74ad2cfed2. This issue affects some unknown processing of the file apps/sim/app/api/proxy/image/route.ts. The manipulation results in server-side request forgery. The attack may be performed from remote. The exploit has been made public and could be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The patch is identified as 3424a338b763115f0269b209e777608e4cd31785. Applying a patch is advised to resolve this issue.

Analysis

A vulnerability was found in SimStudioAI sim up to 51b1e97fa22c48d144aef75f8ca31a74ad2cfed2.ts. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical Context

This vulnerability is classified as Server-Side Request Forgery (SSRF) (CWE-918), which allows attackers to make the server perform requests to unintended internal or external resources. A vulnerability was found in SimStudioAI sim up to 51b1e97fa22c48d144aef75f8ca31a74ad2cfed2.ts. The manipulation results in server-side request forgery. The attack may be performed from remote. The exploit has been made public and could be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The patch is identified as 3424a338b763115f0269b209e777608e4cd31785. Applying a patch is advised to resolve this issue. Affected products include: Sim. Version information: up to 51.

Affected Products

Sim.

Remediation

A vendor patch is available. Apply the latest security update as soon as possible. Validate and allowlist destination URLs, block requests to internal networks, use network segmentation.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +26

POC: +20

CVE-2025-9805 vulnerability details – vuln.today

Back

CVE-2025-9805

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-9805

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code