| Título | Sim Studio / simstudioai sim Affected at least commit 7b572f1f61a8bbcee31fd7389097814a71f8f094; still present in origin/main commit e532e0a6da6fd22eee98310ba Improper Verification of Cryptographic Signature (CWE-347), Use |
|---|
| Descrição | A vulnerability was found in sim by simstudioai and classified as high severity. Affected is the deployment authentication component used by password-protected chat and form endpoints. The manipulation of the deployment authentication cookie leads to authentication bypass. It is possible to launch the attack remotely against a deployment endpoint if the attacker knows the deployment identifier and can guess the 32-bit truncated password hash.
Authentication required: no. User interaction required: no.
Technical Details
- Affected file/function: apps/sim/lib/core/security/deployment.ts / hashPassword, encryptAuthToken, validateAuthToken
- Affected file/function: apps/sim/app/api/chat/utils.ts / validateChatAuth
- Affected file/function: apps/sim/app/api/form/utils.ts / validateFormAuth
- Affected file/function: apps/sim/app/api/chat/[identifier]/route.ts / GET
- Affected file/function: apps/sim/app/api/form/[identifier]/route.ts / GET
- Vulnerable parameter: chat_auth_<deploymentId> or form_auth_<deploymentId> cookie
- Attack vector: Network
- Privileges required: None
- Trigger condition: A password-protected chat or form deployment accepts an auth cookie whose base64-decoded value contains deploymentId:type:timestamp:sha256(encryptedPassword).substring(0, 8). The token is not protected by an HMAC, signature, server-side session lookup, or other server-side secret.
The function hashPassword truncates SHA-256 to 8 hexadecimal characters, reducing the comparison value to 32 bits. The function encryptAuthToken serializes deploymentId, auth type, timestamp, and the truncated password hash and only base64-encodes the result. The function validateAuthToken decodes client-controlled token data and accepts it when the deployment ID matches, the timestamp is not older than 24 hours, and the truncated hash matches the current encrypted password. Because there is no signature or server-side secret, a client can construct a token outside the server once the 32-bit hash value is found. The timestamp is also client-controlled, so a found hash can be reused to mint fresh tokens until the underlying password/encrypted password value changes.
A local proof using synthetic values reproduced the behavior without contacting a live service:
- hash_bits=32
- candidate_space=4294967296
- forged_fresh_valid=true
- wrong_hash_valid=false
- expired_valid=false
Impact
- Confidentiality: High. Unauthorized users may access protected chat/form deployment configuration and workflow outputs exposed through authenticated deployment flows.
- Integrity: High. Unauthorized users may submit inputs to protected workflows and trigger configured actions.
- Availability: Low. Online guessing attempts may consume deployment or application resources.
CVSS v3.1
Score: 8.1 (High)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
Timeline
- Discovered: 2026-03-27
- Vendor notified: 2026-03-27
- Patch released: [unknown]
- Public disclosure: [unknown]
Countermeasure
Replace the client-controlled base64 token with an HMAC-signed token, authenticated encrypted token, signed JWT with strict claims, or opaque server-side session ID. Do not include a truncated password hash as a bearer capability. Bind validation to a server-side secret and compare signatures using constant-time comparison. Add rate limiting and monitoring for failed deployment-auth attempts, and rotate deployment auth/session material after deploying the fix. |
|---|
| Fonte | ⚠️ https://github.com/simstudioai/sim/issues/4759 |
|---|
| Utilizador | Dem000000 (UID 98564) |
|---|
| Submissão | 27/05/2026 14h34 (há 1 mês) |
|---|
| Moderação | 28/06/2026 08h27 (1 month later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 374518 [SimStudioAI sim até 0.6.92 Password Protection deployment.ts Encriptação fraca] |
|---|
| Pontos | 20 |
|---|