CVE-2026-34524
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
A Path Traversal vulnerability in chat endpoints allows an authenticated attacker to read and delete arbitrary files under their user data root (for example secrets.json and settings.json) by supplying avatar_url="..".
Details
The input validator used by avatar_url blocks only / and NUL bytes, but does not block traversal segments like ...
Evidence:
- Weak validator regex (does not reject
..):
<https://github.com/SillyTavern/SillyTavern/blob/b7bb8be35a5c779b4db12a4a5b94d7e49096071c/src/middleware/validateFileName.js#L24-L27>
- Vulnerable delete path construction:
<https://github.com/SillyTavern/SillyTavern/blob/b7bb8be35a5c779b4db12a4a5b94d7e49096071c/src/endpoints/chats.js#L575-L577>
- Vulnerable export path construction:
<https://github.com/SillyTavern/SillyTavern/blob/b7bb8be35a5c779b4db12a4a5b94d7e49096071c/src/endpoints/chats.js#L595-L598>
- Endpoint auth context (authenticated user access):
<https://github.com/SillyTavern/SillyTavern/blob/b7bb8be35a5c779b4db12a4a5b94d7e49096071c/src/server-main.js#L239>
Because avatar_url=".." is accepted, path.join(<user>/chats, "..") resolves to <user>/, enabling direct access to files outside the chats directory.
PoC
Prerequisites:
- Valid authenticated session cookie (
cookie.txt) - Valid CSRF token (
$TOKEN)
Read sensitive file (secrets.json):
curl -b cookie.txt -H "x-csrf-token: $TOKEN" -H "content-type: application/json" \
-d '{"avatar_url":"..","is_group":false,"file":"secrets.json","format":"jsonl","exportfilename":"x"}' \
http://TARGET:8000/api/chats/exportDelete sensitive file (settings.json):
curl -b cookie.txt -H "x-csrf-token: $TOKEN" -H "content-type: application/json" \
-d '{"avatar_url":"..","chatfile":"settings.json"}' \
http://TARGET:8000/api/chats/deleteImpact
- Confidentiality: exposed per-user secrets and config data.
- Integrity/Availability: attacker can delete critical per-user files and break account operation.
- Risk is significant in multi-user or remotely reachable deployments.
Resolution
The issue was addressed in version 1.17.0
AnalysisAI
Path traversal in SillyTavern's chat API allows authenticated attackers to read and delete sensitive configuration files (secrets.json, settings.json) outside the intended chats directory by exploiting insufficient input validation on the avatar_url parameter. The vulnerability (CVSS 8.3) permits traversal using '..' segments due to a regex validator that only blocks '/' and NUL bytes. Publicly available exploit code exists with working proof-of-concept commands provided in the GitHub advisory. EPSS data not available, but the straightforward exploitation path (AV:N/AC:L/PR:L) and availability of working POC code present significant risk for multi-user or internet-facing SillyTavern deployments. Vendor-released patch available in version 1.17.0.
Technical ContextAI
SillyTavern is a Node.js-based chat interface application (npm package). The vulnerability stems from CWE-22 (Path Traversal) in the middleware input validation layer. The validateFileName.js module uses a regex pattern that blocks forward slashes and NUL bytes but fails to sanitize '..' traversal sequences. When user-supplied avatar_url values are passed to Node.js path.join() operations in the /api/chats/export and /api/chats/delete endpoints, the '..' segments resolve upward from the intended <user>/chats/ directory to the parent <user>/ directory. This allows authenticated attackers to construct file paths that reference sensitive files like secrets.json (API credentials) and settings.json (application configuration) stored in the user data root, bypassing directory containment controls. The endpoints are protected by authentication and CSRF tokens but do not perform secondary path canonicalization checks.
RemediationAI
Upgrade immediately to SillyTavern version 1.17.0 or later, which addresses the path traversal vulnerability through improved input validation. The patch enhances the validateFileName middleware to properly reject '..' traversal sequences in addition to the existing '/' and NUL byte blocks. Organizations unable to upgrade immediately should implement network-level access controls to restrict the /api/chats/* endpoints to trusted users only and consider disabling remote network access entirely if the application is intended for single-user localhost operation. Review application logs for suspicious avatar_url parameters containing '..' sequences to identify potential exploitation attempts. Verify that secrets.json and settings.json files have not been accessed or modified by unauthorized users. Full remediation details and security advisory available at https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-vprr-q85p-79mf.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-vprr-q85p-79mf