SillyTavern, Session Invalidation Failure, CVE-None (Medium)

Listen to this Post

How the mentioned CVE works (technical details):

SillyTavern uses `cookie-session` middleware for authentication, making sessions completely stateless. All user data (handle, permissions) is serialized and stored inside a signed cookie. The server does not maintain any session registry. When a user changes their password via `POST /api/users/change-password` or POST /api/users/recover-step2, the server only updates the password hash in the database. No action is taken to rotate the session signing key, clear the cookie, or invalidate existing tokens. Because the session is client-side, the old cookie remains cryptographically valid – its signature still matches the server’s secret, and the payload contains the same user identifier. The server continues to accept the old cookie for authentication, as there is no mechanism to check whether the password was changed after the cookie was issued. Attackers who steal a session cookie (via XSS, MITM, local access, etc.) retain full access even after the victim resets their password. The default cookie `maxAge` is 400 days, providing an extremely long exploitation window. The only way to manually revoke sessions would be to change the server’s session secret, which forces logout for all users. PoC steps: two browsers share same account; change password from browser A; browser B remains logged in without re-authentication. Fixed in version 1.18.0 by adding session invalidation logic on password change (e.g., resetting the session secret or clearing the cookie).

dailycve form:

Platform: SillyTavern
Version: <1.18.0
Vulnerability: Session not invalidated
Severity: Medium
date: 2024-05-15

Prediction: Patched 2024-06-10

What Undercode Say:

Simulate session reuse after password change
curl -X POST https://target/api/users/login -c cookies.txt -d '{"user":"victim","pass":"old"}'
curl -X POST https://target/api/users/change-password -b cookies.txt -d '{"newPass":"new"}'
Stolen cookie still works
curl -X GET https://target/api/users/me -b cookies.txt
Code pattern that caused the issue (pseudo)
app.use(require('cookie-session')({ secret: 'fixed_secret' }))
app.post('/change-password', (req, res) => {
db.updatePassword(req.user.id, req.body.newPass) missing: req.session = null
res.send('password changed')
})

how Exploit:

Steal valid session cookie via XSS/MITM. After victim changes password, reuse stolen cookie to access API keys, chat logs, and server config indefinitely.

Protection from this CVE:

Upgrade to SillyTavern ≥1.18.0. If unpatched, rotate server’s `cookieSession.secret` after every password change (forces all sessions logout). Implement server-side session store with explicit revocation.

Impact:

Attacker retains full account control even after password reset. Default 400-day cookie lifespan turns recovered account into persistent backdoor. Nullifies password change as a recovery measure.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top