Skip to main content
CVE Vulnerability Database

CVE-2025-9805: Sim Sim SSRF Vulnerability

CVE-2025-9805 is a server-side request forgery flaw in Sim Sim that enables remote attackers to manipulate server requests. This post covers the technical details, affected versions, security impact, and mitigation steps.

Published:

CVE-2025-9805 Overview

CVE-2025-9805 is a Server-Side Request Forgery (SSRF) vulnerability in SimStudioAI sim, an open-source AI workflow platform. The flaw resides in the image proxy handler at apps/sim/app/api/proxy/image/route.ts. An authenticated remote attacker can manipulate the proxy input to coerce the server into issuing arbitrary outbound HTTP requests. The issue is tracked under [CWE-918] and the exploit has been publicly disclosed. The project uses a rolling release model, so the affected baseline is identified by commit 51b1e97fa22c48d144aef75f8ca31a74ad2cfed2, with the fix delivered in commit 3424a338b763115f0269b209e777608e4cd31785.

Critical Impact

A remote attacker with low privileges can abuse the image proxy endpoint to reach internal services, cloud metadata endpoints, or other non-public resources reachable from the sim host.

Affected Products

  • SimStudioAI sim up to commit 51b1e97fa22c48d144aef75f8ca31a74ad2cfed2
  • Component: apps/sim/app/api/proxy/image/route.ts
  • Rolling release builds prior to patch commit 3424a338b763115f0269b209e777608e4cd31785

Discovery Timeline

  • 2025-09-02 - CVE-2025-9805 published to NVD
  • 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-9805

Vulnerability Analysis

The vulnerable code path is the image proxy route handler in apps/sim/app/api/proxy/image/route.ts. The handler accepts a user-supplied URL and performs a server-side fetch to retrieve the image content. Because the destination URL is not validated against an allowlist or filtered to exclude private address ranges, the server can be directed to request arbitrary internal or external endpoints.

This is a classic Server-Side Request Forgery pattern. The attacker uses the application server as a confused deputy, leveraging its network position to access resources that are not directly reachable from the public internet. According to the public disclosure, the attack requires only low privileges and no user interaction.

Root Cause

The root cause is missing or insufficient validation of the target URL parameter in the image proxy handler [CWE-918]. The handler does not enforce scheme restrictions, host allowlisting, or blocking of loopback and link-local address ranges before issuing the outbound request.

Attack Vector

An authenticated remote attacker sends a crafted request to the /api/proxy/image endpoint with a url parameter pointing at an internal target. The server fetches the URL and may return response data, status codes, or timing information to the attacker. Common targets include cloud instance metadata services such as http://169.254.169.254/, internal admin interfaces bound to localhost, and unauthenticated services on the internal network.

The vulnerability manifests at the proxy fetch step. Refer to the SimStudioAI patch commit and the public issue thread for the precise code-level details and the upstream fix.

Detection Methods for CVE-2025-9805

Indicators of Compromise

  • Outbound HTTP requests from the sim application server to private RFC1918 ranges, 127.0.0.0/8, or 169.254.169.254.
  • Requests to /api/proxy/image containing non-image hostnames, raw IP literals, or unusual URL schemes.
  • Unusual response sizes or status codes returned by the proxy endpoint that suggest internal service enumeration.

Detection Strategies

  • Inspect application and reverse-proxy logs for POST or GET traffic to /api/proxy/image and extract the url parameter for analysis.
  • Alert on any egress traffic from the sim workload destined for cloud metadata IPs or internal management interfaces.
  • Baseline the legitimate set of image hosts used by tenants and flag deviations.

Monitoring Recommendations

  • Forward sim application logs and host egress telemetry to a centralized analytics platform for correlation.
  • Enable cloud provider VPC flow logs and metadata access logging to identify SSRF-driven reconnaissance.
  • Track the rate of failed or redirected fetches from the image proxy as a proxy abuse signal.

How to Mitigate CVE-2025-9805

Immediate Actions Required

  • Update sim to a build that includes commit 3424a338b763115f0269b209e777608e4cd31785 or later.
  • Restrict outbound network access from the sim workload using egress firewall rules or a network policy.
  • Block access to cloud metadata endpoints from the application, for example by setting IMDSv2 with hop-limit 1 on AWS.

Patch Information

The upstream fix is committed as 3424a338b763115f0269b209e777608e4cd31785 in the SimStudioAI sim repository. Because sim ships as a rolling release, operators should redeploy from the current main branch or pull the latest container image once it is rebuilt past the patch commit. Tracking discussion is available in GitHub issue #1128.

Workarounds

  • Disable the /api/proxy/image route at the reverse proxy until the patched build is deployed.
  • Place the sim application behind an egress proxy that enforces an allowlist of external image hosts.
  • Drop outbound traffic to 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 169.254.0.0/16 from the sim workload.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.