SillyTavern Server-Side Request Forgery Vulnerability in Asset Download Endpoint

A Server-Side Request Forgery (SSRF) vulnerability has been identified in SillyTavern versions prior to 1.16.0. This vulnerability allows authenticated users to make arbitrary HTTP requests from the server through the asset download endpoint, bypassing any validation. The full response body of these requests is returned to the user, which could lead to unauthorized access to internal services, cloud metadata, and private network resources. The vulnerability has been patched in version 1.16.0 by implementing a whitelist domain check for asset download requests, which can be customized in the 'config.yaml' file.

Impact

Exploitation of this vulnerability allows for full-read SSRF, where the complete response body from the target URL is returned to the attacker. This could include sensitive cloud metadata, internal APIs, databases, and other services. Additionally, for categories other than 'character', the fetched content is saved to the server's filesystem, potentially leading to cache poisoning or content injection. When deployed on cloud infrastructure, this vulnerability could be used to steal IAM credentials and service account tokens. The vulnerability also facilitates internal network reconnaissance by allowing interaction with services on the internal network.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/assets/download' endpoint with a URL that points to a target service or cloud metadata endpoint. Include the 'category' parameter set to 'character' to receive the full response body, or use a different category to save the response content to the server's filesystem.

Remediation

Users can update to SillyTavern version 1.16.0 or later, and customize the whitelist domain check for asset download requests in the 'config.yaml' file.