Skip to main content

CVE-2026-34523

MEDIUM
Path Traversal (CWE-22)
2026-04-01 https://github.com/SillyTavern/SillyTavern GHSA-525j-2hrj-m8fp
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch released
Apr 02, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 01, 2026 - 22:16 vuln.today
CVE Published
Apr 01, 2026 - 21:40 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Summary

A path traversal vulnerability in the static file route handler allows any unauthenticated user to determine whether files exist anywhere on the server's filesystem. By sending percent-encoded ../ sequences (%2E%2E%2F) in requests to static file routes, an attacker can check for the existence of files (404 if it doesn't exist, 403 means it exists).

Details

The vulnerability is in createRouteHandler (src/users.js:947-963), which backs all user-data static file routes:

javascript
function createRouteHandler(directoryFn) {
    return async (req, res) => {
        const directory = directoryFn(req);
        const filePath = decodeURIComponent(req.params[0]);
        const exists = fs.existsSync(path.join(directory, filePath)); // no boundary check here
        if (!exists) {
            return res.sendStatus(404);
        }
        return res.sendFile(filePath, { root: directory });
    };
}

req.params[0] contains the raw (percent-encoded) wildcard from the URL. After decodeURIComponent, a request path like /characters/%2E%2E%2F%2E%2E%2FUsers/kirakira decodes to ../../Users/kirakira, and path.join resolves it outside the intended directory. res.sendFile correctly blocks the file from being served (the send module's root check returns 403), but fs.existsSync had already run, and the 403/404 distinction reveals the result.

Affected routes (they all use the same handler, so they're all affected):

  • /characters/*
  • /user/files/*
  • /assets/*
  • /user/images/*
  • /backgrounds/*
  • /User%20Avatars/*

PoC

bash
curl -o /dev/null -s -w "%{http_code}\n" "http://localhost:8000/characters/%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2FUsers/kirakira/something"

Impact

While file contents cannot be read (the send module blocks actual delivery), anyone who can reach the SillyTavern HTTP port can check the existence of files on the host filesystem.

Resolution

The issue was addressed in version 1.17.0.

AnalysisAI

Unauthenticated path traversal in SillyTavern static file route handlers allows remote attackers to enumerate filesystem structure by distinguishing 404 (file does not exist) from 403 (file exists but blocked) responses when submitting percent-encoded directory traversal sequences. The vulnerability affects versions prior to 1.17.0 and impacts multiple static file endpoints (/characters/*, /user/files/*, /assets/*, /user/images/*, /backgrounds/*, /User%20Avatars/*), disclosing whether arbitrary files exist on the server filesystem without authentication. File contents are not exposed due to the send module's root directory enforcement, limiting impact to information disclosure, but the fix is available and should be applied immediately.

Technical ContextAI

The vulnerability exists in the createRouteHandler function (src/users.js:947-963) which constructs file paths by decoding percent-encoded URL parameters without validating path boundaries. The handler uses decodeURIComponent on user-supplied input (req.params[0]), allowing encoded traversal sequences like %2E%2E%2F to become ../ after decoding. The fs.existsSync check executes against the traversal-resolved path before the send module's root directory restriction is applied, creating a timing-based information leak. When res.sendFile is invoked with the resolved path, the send module correctly enforces the root boundary and returns 403 Forbidden, but by that point the fs.existsSync call has already confirmed file existence. This is a classic example of CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) combined with an information disclosure flaw stemming from conditional error handling. The root cause is the absence of path.normalize() validation or realpath checks to ensure the decoded filePath remains within the intended directory before any filesystem operations occur.

RemediationAI

Upgrade SillyTavern to version 1.17.0 or later immediately. This patched version contains the fix to the createRouteHandler function that validates path boundaries before executing fs.existsSync. For installations using npm, execute 'npm install sillytavern@1.17.0' or higher. If immediate upgrade is not possible, the underlying mitigation is to restrict network access to the SillyTavern HTTP port to trusted networks only, limiting exposure of the file enumeration capability to authenticated or internal users. The patch address is documented in the official GitHub advisory at https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-525j-2hrj-m8fp; consult that advisory for any version-specific upgrade instructions or breaking changes.

Share

CVE-2026-34523 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy