Unrestricted File Upload Vulnerability in SimStudioAI's HTML File Parser
CVE-2025-9800

5.3MEDIUM

Key Information:

Vendor

Simstudioai

Status
Sim
Vendor
CVE Published:
1 September 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-9800?

A vulnerability exists in SimStudioAI's HTML File Parser related to the Import function within the route.ts file. This weakness permits attackers to manipulate the File argument, enabling the possibility of unrestricted file uploads. Such an exploit can be executed remotely, posing a significant risk to systems utilizing this product. As the product follows a rolling release model, specific versioning details are absent. However, it is essential to apply the provided patch (commit 45372aece5e05e04b417442417416a52e90ba174) to mitigate the risks associated with this vulnerability.

Affected Version(s)

sim ed9b9ad83f1a7c61f4392787fb51837d34eeb0af

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-9800 - Proof of Concept

References

https://vuldb.com/?id.322115
vdb-entrytechnical-description
https://vuldb.com/?ctiid.322115
signaturepermissions-required
https://vuldb.com/?submit.641129
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

ZAST.AI (VulDB User)
.
CVE-2025-9800 : Unrestricted File Upload Vulnerability in SimStudioAI's HTML File Parser