Skip to main content

CVE-2026-34524

HIGH
Path Traversal (CWE-22)
2026-04-01 https://github.com/SillyTavern/SillyTavern GHSA-vprr-q85p-79mf
8.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.3 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

3
Patch released
Apr 02, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 01, 2026 - 22:16 vuln.today
CVE Published
Apr 01, 2026 - 21:41 nvd
HIGH 8.3

DescriptionGitHub Advisory

Summary

A Path Traversal vulnerability in chat endpoints allows an authenticated attacker to read and delete arbitrary files under their user data root (for example secrets.json and settings.json) by supplying avatar_url="..".

Details

The input validator used by avatar_url blocks only / and NUL bytes, but does not block traversal segments like ...

Evidence:

  • Weak validator regex (does not reject ..):

<https://github.com/SillyTavern/SillyTavern/blob/b7bb8be35a5c779b4db12a4a5b94d7e49096071c/src/middleware/validateFileName.js#L24-L27>

  • Vulnerable delete path construction:

<https://github.com/SillyTavern/SillyTavern/blob/b7bb8be35a5c779b4db12a4a5b94d7e49096071c/src/endpoints/chats.js#L575-L577>

  • Vulnerable export path construction:

<https://github.com/SillyTavern/SillyTavern/blob/b7bb8be35a5c779b4db12a4a5b94d7e49096071c/src/endpoints/chats.js#L595-L598>

  • Endpoint auth context (authenticated user access):

<https://github.com/SillyTavern/SillyTavern/blob/b7bb8be35a5c779b4db12a4a5b94d7e49096071c/src/server-main.js#L239>

Because avatar_url=".." is accepted, path.join(<user>/chats, "..") resolves to <user>/, enabling direct access to files outside the chats directory.

PoC

Prerequisites:

  • Valid authenticated session cookie (cookie.txt)
  • Valid CSRF token ($TOKEN)

Read sensitive file (secrets.json):

bash
curl -b cookie.txt -H "x-csrf-token: $TOKEN" -H "content-type: application/json" \
  -d '{"avatar_url":"..","is_group":false,"file":"secrets.json","format":"jsonl","exportfilename":"x"}' \
  http://TARGET:8000/api/chats/export

Delete sensitive file (settings.json):

bash
curl -b cookie.txt -H "x-csrf-token: $TOKEN" -H "content-type: application/json" \
  -d '{"avatar_url":"..","chatfile":"settings.json"}' \
  http://TARGET:8000/api/chats/delete

Impact

  • Confidentiality: exposed per-user secrets and config data.
  • Integrity/Availability: attacker can delete critical per-user files and break account operation.
  • Risk is significant in multi-user or remotely reachable deployments.

Resolution

The issue was addressed in version 1.17.0

AnalysisAI

Path traversal in SillyTavern's chat API allows authenticated attackers to read and delete sensitive configuration files (secrets.json, settings.json) outside the intended chats directory by exploiting insufficient input validation on the avatar_url parameter. The vulnerability (CVSS 8.3) permits traversal using '..' segments due to a regex validator that only blocks '/' and NUL bytes. Publicly available exploit code exists with working proof-of-concept commands provided in the GitHub advisory. EPSS data not available, but the straightforward exploitation path (AV:N/AC:L/PR:L) and availability of working POC code present significant risk for multi-user or internet-facing SillyTavern deployments. Vendor-released patch available in version 1.17.0.

Technical ContextAI

SillyTavern is a Node.js-based chat interface application (npm package). The vulnerability stems from CWE-22 (Path Traversal) in the middleware input validation layer. The validateFileName.js module uses a regex pattern that blocks forward slashes and NUL bytes but fails to sanitize '..' traversal sequences. When user-supplied avatar_url values are passed to Node.js path.join() operations in the /api/chats/export and /api/chats/delete endpoints, the '..' segments resolve upward from the intended <user>/chats/ directory to the parent <user>/ directory. This allows authenticated attackers to construct file paths that reference sensitive files like secrets.json (API credentials) and settings.json (application configuration) stored in the user data root, bypassing directory containment controls. The endpoints are protected by authentication and CSRF tokens but do not perform secondary path canonicalization checks.

RemediationAI

Upgrade immediately to SillyTavern version 1.17.0 or later, which addresses the path traversal vulnerability through improved input validation. The patch enhances the validateFileName middleware to properly reject '..' traversal sequences in addition to the existing '/' and NUL byte blocks. Organizations unable to upgrade immediately should implement network-level access controls to restrict the /api/chats/* endpoints to trusted users only and consider disabling remote network access entirely if the application is intended for single-user localhost operation. Review application logs for suspicious avatar_url parameters containing '..' sequences to identify potential exploitation attempts. Verify that secrets.json and settings.json files have not been accessed or modified by unauthorized users. Full remediation details and security advisory available at https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-vprr-q85p-79mf.

Share

CVE-2026-34524 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy