SillyTavern Path Traversal Vulnerability in Chat Import API Allows Arbitrary File Write

A path traversal vulnerability has been identified in SillyTavern versions prior to 1.17.0. The issue resides in the '/api/chats/import' endpoint, where authenticated attackers can inject traversal sequences into the 'character_name' parameter. This injection allows them to write files to locations outside the designated chats directory. The vulnerability arises because 'character_name' is used unsafely in the filename, passed into 'path.join()' without proper sanitization. Exploitation of this vulnerability could lead to unauthorized file creation in sensitive areas of the filesystem, potentially disrupting normal application operations or abusing disk space.

Impact

Exploitation of this vulnerability allows for arbitrary file writes, which can disrupt application functionality, cause disk abuse, and, when combined with other local processing behaviors, lead to more severe consequences.

Reproduction

To reproduce this vulnerability, an authenticated session is required. After obtaining a valid session cookie and CSRF token, the vulnerability can be exploited by sending a POST request to the '/api/chats/import' endpoint. The request must include the 'character_name' parameter with a traversal sequence that escapes the intended directory, such as '../../../../tmp/st_poc'. This will cause the application to write a file to the specified location outside the chats directory.

Remediation

Users are advised to update SillyTavern to version 1.17.0 or later, where this vulnerability has been patched.