SillyTavern Path Traversal Vulnerability Allowing Arbitrary File Read/Delete

A path traversal vulnerability has been identified in SillyTavern versions prior to 1.17.0. This vulnerability allows authenticated attackers to read and delete arbitrary files within their user data root, such as secrets.json and settings.json. The issue arises from the chat endpoints, where the input validation for the avatar_url parameter fails to properly sanitize traversal segments, enabling access to files outside the intended directory.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive user files, including per-user secrets and configuration data. Additionally, attackers could delete critical files, disrupting normal account operations. The risk is particularly significant in multi-user or remotely accessible deployments.

Reproduction

To reproduce this vulnerability, send a request to the chat export or delete endpoints with a crafted avatar_url parameter that includes traversal segments, such as '..'. This can be done using a tool like curl, including the necessary authentication cookie and CSRF token. The request will bypass the inadequate validation and allow access to sensitive files or deletion of important user data.

Remediation

Users are advised to update SillyTavern to version 1.17.0 or later, where this vulnerability has been patched.