CVE-2025-9801 Overview
CVE-2025-9801 is a path traversal vulnerability [CWE-22] in SimStudioAI sim, an open-source AI agent workflow platform. The flaw resides in the file upload handler, where the filePath argument is not properly sanitized before use. Remote authenticated attackers can manipulate this parameter to access or modify files outside the intended upload directory. The vulnerability affects commits up to ed9b9ad83f1a7c61f4392787fb51837d34eeb0af and has been publicly disclosed. Because SimStudioAI follows a rolling release model, no fixed version numbers are published; remediation is identified by patch commit 45372aece5e05e04b417442417416a52e90ba174.
Critical Impact
An authenticated remote attacker can manipulate the filePath parameter to traverse outside the intended directory, leading to limited integrity and availability impact on uploaded files.
Affected Products
- SimStudioAI sim up to commit ed9b9ad83f1a7c61f4392787fb51837d34eeb0af
- Deployments built from the simstudioai/sim repository before patch 45372aece5e05e04b417442417416a52e90ba174
- Self-hosted instances exposing the /api/files/upload route
Discovery Timeline
- 2025-09-01 - CVE-2025-9801 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-9801
Vulnerability Analysis
The vulnerability exists in the file upload and delete logic under apps/sim/app/api/files/. The handler accepts a filePath argument from the request and uses it to locate files on disk without validating that the resolved path remains within the intended upload directory. An authenticated user supplying traversal sequences such as ../ can reference arbitrary file system locations relative to the server process. The patch addresses the issue by enforcing an allowlist of permitted file extensions and removing dangerous formats such as SVG from supported MIME types. According to EPSS data published 2026-06-23, the exploit probability is 0.66% at the 46.73 percentile.
Root Cause
The root cause is missing canonicalization and containment checks on the user-controlled filePath parameter. The handler trusted the caller-supplied path component when constructing file system operations. There was no allowlist on file extensions, so attackers could also reference or upload file types intended to be blocked.
Attack Vector
Exploitation requires network access to the SimStudioAI sim API and low-privilege authenticated credentials. No user interaction is required. The attacker submits a crafted upload or delete request containing traversal sequences in filePath, causing the server to operate on a file outside the upload directory.
// Patch excerpt - apps/sim/app/api/files/upload/route.ts
// Source: https://github.com/simstudioai/sim/commit/45372aece5e05e04b417442417416a52e90ba174
// Allowlist of permitted file extensions for security
const ALLOWED_EXTENSIONS = new Set([
// Documents
'pdf',
'doc',
'docx',
'txt',
'md',
// Images (safe formats)
'png',
'jpg',
'jpeg',
'gif',
// Data files
'csv',
'xlsx',
'xls',
])
/**
* Validates file extension against allowlist
*/
function validateFileExtension(filename: string): boolean {
const extension = filename.split('.').pop()?.toLowerCase()
if (!extension) return false
return ALLOWED_EXTENSIONS.has(extension)
}
The second part of the patch removed SVG from the supported MIME map in apps/sim/app/api/files/utils.ts, because SVG payloads can carry embedded scripts:
// Patch excerpt - apps/sim/app/api/files/utils.ts
// Source: https://github.com/simstudioai/sim/commit/45372aece5e05e04b417442417416a52e90ba174
jpg: 'image/jpeg',
jpeg: 'image/jpeg',
gif: 'image/gif',
- svg: 'image/svg+xml',
// Archive formats
zip: 'application/zip',
Detection Methods for CVE-2025-9801
Indicators of Compromise
- HTTP requests to /api/files/upload or related file routes containing ../, ..\\, URL-encoded %2e%2e%2f, or absolute paths in the filePath parameter.
- Application log entries showing file writes or deletes outside the configured upload directory.
- Upload attempts referencing extensions outside the allowlist (pdf, doc, docx, txt, md, png, jpg, jpeg, gif, csv, xlsx, xls).
- Unexpected SVG, executable, or script files appearing in storage paths used by the sim service.
Detection Strategies
- Inspect HTTP request bodies and query strings to the sim API for traversal sequences in path-related parameters.
- Correlate file system audit events for the sim service account with the application's upload request log to identify writes outside expected directories.
- Hash and compare the deployed apps/sim/app/api/files/ route handlers against the post-patch commit to confirm the fix is present.
Monitoring Recommendations
- Enable verbose logging on the sim file API and forward logs to a central SIEM for retention and alerting.
- Alert on any 200-class response to file routes whose resolved canonical path is outside the configured uploads directory.
- Monitor for new low-privilege user accounts followed by bursts of file API activity, which may indicate credential abuse.
How to Mitigate CVE-2025-9801
Immediate Actions Required
- Pull and deploy SimStudioAI sim at or beyond commit 45372aece5e05e04b417442417416a52e90ba174.
- Audit existing storage directories for files written outside the intended upload paths and remove unauthorized content.
- Rotate any credentials, tokens, or secrets that were stored on the host file system reachable from the sim process.
- Restrict the sim API to trusted networks and require authenticated access until the patch is verified in production.
Patch Information
The upstream fix is delivered in commit simstudioai/sim 45372ae, titled "fix(files): fix vulnerabilities in file uploads/deletes (#1130)". The patch introduces an extension allowlist via validateFileExtension() in apps/sim/app/api/files/upload/route.ts and removes SVG from the supported MIME map in apps/sim/app/api/files/utils.ts. Discussion and reproduction context are tracked in GitHub Issue #959.
Workarounds
- Place the sim service behind a reverse proxy or web application firewall that rejects requests containing ../, ..\\, or URL-encoded traversal sequences in file parameters.
- Run the sim process as an unprivileged user with file system access scoped to a dedicated uploads directory using OS-level mandatory access controls.
- Mount the uploads directory on a separate filesystem or container volume with no symbolic links to sensitive locations.
# Example: pin deployment to the patched commit
git fetch origin
git checkout 45372aece5e05e04b417442417416a52e90ba174
# Example: verify the deployed handler contains the allowlist
grep -n "ALLOWED_EXTENSIONS" apps/sim/app/api/files/upload/route.ts
# Example: nginx rule to block traversal in file API requests
# location /api/files/ {
# if ($request_uri ~* "(\.\./|\.\.\\|%2e%2e%2f|%2e%2e/)") { return 400; }
# proxy_pass http://sim_backend;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

