sim ≤ v0.5.21 Authentication Bypass by Primary Weaknessinformation

Titre	https://github.com/simstudioai https://github.com/simstudioai/sim ≤ v0.5.21 Authentication Bypass by Primary Weakness
Description	When deploying using the official Docker deployment method, the key authentication key has a default value. During our security analysis of the Sim application, we identified a critical authentication bypass vulnerability originating from the internal authorization logic implemented in internal.ts. This module is responsible for securing internal API routes (e.g., cron endpoints, internal tasks, server-side system functions). However, the authentication logic contains an overly permissive condition: when the expected internal secret is missing, undefined, or empty, the verification step does not reject the request as intended. Attackers can exploit this vulnerability to bypass authentication and perform operations that could be harmful to the system.
La source	⚠️ https://gist.github.com/H2u8s/c533741e1b36f6245d41cace89a7f4d2
Utilisateur	28Hus (UID 92415)
Soumission	09/12/2025 15:13 (il y a 6 mois)
Modérer	25/12/2025 17:18 (16 days later)
Statut	Accepté
Entrée VulDB	338430 [simstudioai sim jusqu’à 0.5.27 CRON Secret internal.ts INTERNAL_API_SECRET authentification faible]
Points	20

Do you want to use VulDB in your project?

Use the official API to access entries easily!