SillyTavern Path Traversal Vulnerability Allowing File Existence Verification

A path traversal vulnerability has been identified in SillyTavern versions prior to 1.17.0. This vulnerability allows any unauthenticated user to determine the existence of files on the server's filesystem. By sending percent-encoded '../' sequences in requests to static file routes, an attacker can check for the presence of specific files. The issue arises in the static file route handler, where the absence of proper boundary checks enables the exploitation.

Impact

Exploitation of this vulnerability allows for file existence verification on the server's filesystem, creating an oracle effect. While the contents of the files cannot be read due to the application's file delivery restrictions, the ability to check for file presence could be leveraged in conjunction with other information or vulnerabilities.

Reproduction

The vulnerability can be reproduced by sending a request to one of the affected static file routes, such as '/characters/*' or '/user/files/*', with a percent-encoded path traversal sequence that decodes to a file path outside the intended directory. The response status code can then be used to infer the existence of files.

Remediation

Users are advised to update SillyTavern to version 1.17.0 or later, where this vulnerability has been patched.