CVE-2026-34523
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
A path traversal vulnerability in the static file route handler allows any unauthenticated user to determine whether files exist anywhere on the server's filesystem. By sending percent-encoded ../ sequences (%2E%2E%2F) in requests to static file routes, an attacker can check for the existence of files (404 if it doesn't exist, 403 means it exists).
Details
The vulnerability is in createRouteHandler (src/users.js:947-963), which backs all user-data static file routes:
function createRouteHandler(directoryFn) {
return async (req, res) => {
const directory = directoryFn(req);
const filePath = decodeURIComponent(req.params[0]);
const exists = fs.existsSync(path.join(directory, filePath)); // no boundary check here
if (!exists) {
return res.sendStatus(404);
}
return res.sendFile(filePath, { root: directory });
};
}req.params[0] contains the raw (percent-encoded) wildcard from the URL. After decodeURIComponent, a request path like /characters/%2E%2E%2F%2E%2E%2FUsers/kirakira decodes to ../../Users/kirakira, and path.join resolves it outside the intended directory. res.sendFile correctly blocks the file from being served (the send module's root check returns 403), but fs.existsSync had already run, and the 403/404 distinction reveals the result.
Affected routes (they all use the same handler, so they're all affected):
/characters/*/user/files/*/assets/*/user/images/*/backgrounds/*/User%20Avatars/*
PoC
curl -o /dev/null -s -w "%{http_code}\n" "http://localhost:8000/characters/%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2FUsers/kirakira/something"Impact
While file contents cannot be read (the send module blocks actual delivery), anyone who can reach the SillyTavern HTTP port can check the existence of files on the host filesystem.
Resolution
The issue was addressed in version 1.17.0.
AnalysisAI
Unauthenticated path traversal in SillyTavern static file route handlers allows remote attackers to enumerate filesystem structure by distinguishing 404 (file does not exist) from 403 (file exists but blocked) responses when submitting percent-encoded directory traversal sequences. The vulnerability affects versions prior to 1.17.0 and impacts multiple static file endpoints (/characters/*, /user/files/*, /assets/*, /user/images/*, /backgrounds/*, /User%20Avatars/*), disclosing whether arbitrary files exist on the server filesystem without authentication. File contents are not exposed due to the send module's root directory enforcement, limiting impact to information disclosure, but the fix is available and should be applied immediately.
Technical ContextAI
The vulnerability exists in the createRouteHandler function (src/users.js:947-963) which constructs file paths by decoding percent-encoded URL parameters without validating path boundaries. The handler uses decodeURIComponent on user-supplied input (req.params[0]), allowing encoded traversal sequences like %2E%2E%2F to become ../ after decoding. The fs.existsSync check executes against the traversal-resolved path before the send module's root directory restriction is applied, creating a timing-based information leak. When res.sendFile is invoked with the resolved path, the send module correctly enforces the root boundary and returns 403 Forbidden, but by that point the fs.existsSync call has already confirmed file existence. This is a classic example of CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) combined with an information disclosure flaw stemming from conditional error handling. The root cause is the absence of path.normalize() validation or realpath checks to ensure the decoded filePath remains within the intended directory before any filesystem operations occur.
RemediationAI
Upgrade SillyTavern to version 1.17.0 or later immediately. This patched version contains the fix to the createRouteHandler function that validates path boundaries before executing fs.existsSync. For installations using npm, execute 'npm install sillytavern@1.17.0' or higher. If immediate upgrade is not possible, the underlying mitigation is to restrict network access to the SillyTavern HTTP port to trusted networks only, limiting exposure of the file enumeration capability to authenticated or internal users. The patch address is documented in the official GitHub advisory at https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-525j-2hrj-m8fp; consult that advisory for any version-specific upgrade instructions or breaking changes.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-525j-2hrj-m8fp