SillyTavern: Path Traversal allows file existence oracle

Summary

A path traversal vulnerability in the static file route handler allows any unauthenticated user to determine whether files exist anywhere on the server's filesystem. By sending percent-encoded ../ sequences (%2E%2E%2F) in requests to static file routes, an attacker can check for the existence of files (404 if it doesn't exist, 403 means it exists).

Details

The vulnerability is in createRouteHandler (src/users.js:947–963), which backs all user-data static file routes:

function createRouteHandler(directoryFn) {
    return async (req, res) => {
        const directory = directoryFn(req);
        const filePath = decodeURIComponent(req.params[0]);
        const exists = fs.existsSync(path.join(directory, filePath)); // no boundary check here
        if (!exists) {
            return res.sendStatus(404);
        }
        return res.sendFile(filePath, { root: directory });
    };
}

req.params[0] contains the raw (percent-encoded) wildcard from the URL. After decodeURIComponent, a request path like /characters/%2E%2E%2F%2E%2E%2FUsers/kirakira decodes to ../../Users/kirakira, and path.join resolves it outside the intended directory. res.sendFile correctly blocks the file from being served (the send module's root check returns 403), but fs.existsSync had already run, and the 403/404 distinction reveals the result.

Affected routes (they all use the same handler, so they're all affected):

• /characters/*
• /user/files/*
• /assets/*
• /user/images/*
• /backgrounds/*
• /User%20Avatars/*

PoC

curl -o /dev/null -s -w "%{http_code}\n" "http://localhost:8000/characters/%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2FUsers/kirakira/something"

Impact

While file contents cannot be read (the send module blocks actual delivery), anyone who can reach the SillyTavern HTTP port can check the existence of files on the host filesystem.

Resolution

The issue was addressed in version 1.17.0.