Skip to main content

CVE-2026-34522

HIGH
Path Traversal (CWE-22)
2026-04-01 https://github.com/SillyTavern/SillyTavern GHSA-xvww-xhx6-22pf
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch released
Apr 02, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 01, 2026 - 22:16 vuln.today
CVE Published
Apr 01, 2026 - 21:36 nvd
HIGH 8.1

DescriptionGitHub Advisory

Summary

A path traversal vulnerability in /api/chats/import allows an authenticated attacker to write attacker-controlled files outside the intended chats directory by injecting traversal sequences into character_name.

Details

character_name is used unsafely as part of the destination filename and then passed into path.join(...) without sanitization.

Evidence:

  • Import handler entrypoint:

<https://github.com/SillyTavern/SillyTavern/blob/b7bb8be35a5c779b4db12a4a5b94d7e49096071c/src/endpoints/chats.js#L680-L686>

  • Unsanitized character_name used in output filename:

<https://github.com/SillyTavern/SillyTavern/blob/b7bb8be35a5c779b4db12a4a5b94d7e49096071c/src/endpoints/chats.js#L719-L723>

  • Same write pattern in JSONL import branch:

<https://github.com/SillyTavern/SillyTavern/blob/b7bb8be35a5c779b4db12a4a5b94d7e49096071c/src/endpoints/chats.js#L759-L766>

  • Endpoint auth context (authenticated user access):

<https://github.com/SillyTavern/SillyTavern/blob/b7bb8be35a5c779b4db12a4a5b94d7e49096071c/src/server-main.js#L239>

Example payload:

  • character_name=../../../../tmp/st_poc

This causes the final destination path to escape from <user>/chats/<avatar>/... and write to an attacker-controlled location such as /tmp/... (or any writable path for the service account).

PoC

Prerequisites:

  • Valid authenticated session cookie (cookie.txt)
  • Valid CSRF token ($TOKEN)

Prepare payload:

bash
printf '{"user_name":"u","chat_metadata":{}}\n{"name":"u","mes":"owned"}\n' >/tmp/poc.jsonl

Trigger arbitrary write:

bash
curl -b cookie.txt -H "x-csrf-token: $TOKEN" \
  -F "avatar=@/tmp/poc.jsonl" \
  -F "file_type=jsonl" \
  -F "avatar_url=a.png" \
  -F "character_name=../../../../tmp/st_poc" \
  -F "user_name=u" \
  http://TARGET:8000/api/chats/import

Observed result:

  • A file is created outside chats directory, for example:

/tmp/st_poc - <timestamp> imported.jsonl

Impact

  • Integrity: attacker can create files in unintended filesystem locations.
  • Availability: can be used for disk abuse and disruptive file placement.
  • Can become more severe when chained with other local processing behaviors.

Resolution

The issue was addressed in version 1.17.0

AnalysisAI

Authenticated path traversal in SillyTavern's chat import API enables authenticated users to write arbitrary files outside intended directories. Attackers exploit unsanitized 'character_name' parameters in /api/chats/import (versions prior to 1.17.0) to inject traversal sequences (e.g., '../../../../tmp/malicious'), causing file writes to arbitrary filesystem locations accessible to the service account. With CVSS 8.1 (AV:N/AC:L/PR:L), this requires low-privilege authentication but no user intera

Technical ContextAI

This vulnerability affects the npm package 'sillytavern' (pkg:npm/sillytavern), a local-first AI chat interface application built on Node.js. The flaw resides in the chat import functionality at /api/chats/import endpoint, specifically in the handling of file uploads for character chat histories. The vulnerable code in src/endpoints/chats.js (lines 680-766) directly concatenates user-supplied 'character_name' parameter into filesystem path operations via Node.js path.join() without input validation or sanitization. This represents a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) implementation flaw. The application intends to store imported chats in a structured directory hierarchy (<user>/chats/<avatar>/), but the lack of path traversal defenses allows attackers to inject directory traversal sequences (../) that escape the intended sandbox. Node.js path.join() does not inherently prevent traversal attacks when components contain unvalidated user input. The vulnerability exists in both JSON and JSONL import code paths, affecting multiple file format handlers within the same endpoint.

RemediationAI

Upgrade immediately to SillyTavern version 1.17.0 or later, which addresses the path traversal vulnerability through input sanitization of the character_name parameter. The fix is available through standard npm update procedures (npm update sillytavern) or by pulling the latest release from the GitHub repository at https://github.com/SillyTavern/SillyTavern. For users unable to upgrade immediately, implement temporary mitigations: restrict /api/chats/import endpoint access through reverse proxy rules (nginx/Apache location blocks), implement filesystem permissions to limit write access for the SillyTavern service account to only the intended chats directory, or disable the import functionality entirely if not operationally required. Review filesystem audit logs for suspicious file creation patterns outside expected directories (grep for recently created files with 'imported.jsonl' suffix in unexpected paths). After patching, verify the fix by attempting the proof-of-concept attack from the advisory-properly patched systems should reject traversal sequences. Consult the official security advisory at https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-xvww-xhx6-22pf for additional vendor guidance and validated patch instructions.

Share

CVE-2026-34522 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy