CVE-2026-34523

Description

### Summary A path traversal vulnerability in the static file route handler allows any unauthenticated user to determine whether files exist anywhere on the server's filesystem. By sending percent-encoded `../` sequences (`%2E%2E%2F`) in requests to static file routes, an attacker can check for the existence of files (404 if it doesn't exist, 403 means it exists). ### Details The vulnerability is in `createRouteHandler` (`src/users.js:947-963`), which backs all user-data static file routes: ```javascript function createRouteHandler(directoryFn) { return async (req, res) => { const directory = directoryFn(req); const filePath = decodeURIComponent(req.params[0]); const exists = fs.existsSync(path.join(directory, filePath)); // no boundary check here if (!exists) { return res.sendStatus(404); } return res.sendFile(filePath, { root: directory }); }; } ``` `req.params[0]` contains the raw (percent-encoded) wildcard from the URL. After `decodeURIComponent`, a request path like `/characters/%2E%2E%2F%2E%2E%2FUsers/kirakira` decodes to `../../Users/kirakira`, and `path.join` resolves it outside the intended directory. `res.sendFile` correctly blocks the file from being served (the `send` module's root check returns 403), but `fs.existsSync` had already run, and the 403/404 distinction reveals the result. Affected routes (they all use the same handler, so they're all affected): - `/characters/*` - `/user/files/*` - `/assets/*` - `/user/images/*` - `/backgrounds/*` - `/User%20Avatars/*` ### PoC ```bash curl -o /dev/null -s -w "%{http_code}\n" "http://localhost:8000/characters/%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2FUsers/kirakira/something" ``` ### Impact While file contents cannot be read (the `send` module blocks actual delivery), anyone who can reach the SillyTavern HTTP port can check the existence of files on the host filesystem. ### Resolution The issue was addressed in version 1.17.0.

Priority Score