CVE-2025-7107

Public Exploit

SimStudioAI sim route.ts handleLocalFile path traversal

Description

A vulnerability classified as critical has been found in SimStudioAI sim up to 0.1.17. Affected is the function handleLocalFile of the file apps/sim/app/api/files/parse/route.ts. The manipulation of the argument filePath leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The patch is identified as b2450530d1ddd0397a11001a72aa0fde401db16a. It is recommended to apply a patch to fix this issue.

References

Link	Tags
https://vuldb.com/?id.315018	vdb entry technical description
https://vuldb.com/?ctiid.315018	signature permissions required
https://vuldb.com/?submit.601043	third party advisory
https://github.com/vri-report/reports/issues/2	issue tracking
https://github.com/simstudioai/sim/pull/437	issue tracking
https://github.com/vri-report/reports/issues/2#issue-3161840085	issue tracking exploit
https://github.com/simstudioai/sim/commit/b2450530d1ddd0397a11001a72aa0fde401db16a	patch

Frequently Asked Questions

What is the severity of CVE-2025-7107?: CVE-2025-7107 has been scored as a medium severity vulnerability.
How to fix CVE-2025-7107?: To fix CVE-2025-7107, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-7107 being actively exploited in the wild?: It is possible that CVE-2025-7107 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-7107?: CVE-2025-7107 affects SimStudioAI sim.

Description

Category

CWE-22 – Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

References

Frequently Asked Questions