CVE-2026-34524

HIGH8.3EPSS 0.03%

SillyTavern: Path Traversal in `/api/chats/export` and `/api/chats/delete` allows arbitrary file read/delete within user data root

Published: 4/1/2026Modified: 4/6/2026

Also known as:GHSA-vprr-q85p-79mf

Description

## Summary A Path Traversal vulnerability in chat endpoints allows an authenticated attacker to read and delete arbitrary files under their user data root (for example `secrets.json` and `settings.json`) by supplying `avatar_url=".."`. ### Details The input validator used by `avatar_url` blocks only `/` and NUL bytes, but does not block traversal segments like `..`. Evidence: - Weak validator regex (does not reject `..`): <https://github.com/SillyTavern/SillyTavern/blob/b7bb8be35a5c779b4db12a4a5b94d7e49096071c/src/middleware/validateFileName.js#L24-L27> - Vulnerable delete path construction: <https://github.com/SillyTavern/SillyTavern/blob/b7bb8be35a5c779b4db12a4a5b94d7e49096071c/src/endpoints/chats.js#L575-L577> - Vulnerable export path construction: <https://github.com/SillyTavern/SillyTavern/blob/b7bb8be35a5c779b4db12a4a5b94d7e49096071c/src/endpoints/chats.js#L595-L598> - Endpoint auth context (authenticated user access): <https://github.com/SillyTavern/SillyTavern/blob/b7bb8be35a5c779b4db12a4a5b94d7e49096071c/src/server-main.js#L239> Because `avatar_url=".."` is accepted, `path.join(<user>/chats, "..")` resolves to `<user>/`, enabling direct access to files outside the chats directory. ### PoC Prerequisites: - Valid authenticated session cookie (`cookie.txt`) - Valid CSRF token (`$TOKEN`) Read sensitive file (`secrets.json`): ```bash curl -b cookie.txt -H "x-csrf-token: $TOKEN" -H "content-type: application/json" \ -d '{"avatar_url":"..","is_group":false,"file":"secrets.json","format":"jsonl","exportfilename":"x"}' \ http://TARGET:8000/api/chats/export ``` Delete sensitive file (`settings.json`): ```bash curl -b cookie.txt -H "x-csrf-token: $TOKEN" -H "content-type: application/json" \ -d '{"avatar_url":"..","chatfile":"settings.json"}' \ http://TARGET:8000/api/chats/delete ``` ### Impact - Confidentiality: exposed per-user secrets and config data. - Integrity/Availability: attacker can delete critical per-user files and break account operation. - Risk is significant in multi-user or remotely reachable deployments. ### Resolution The issue was addressed in version 1.17.0

Affected packages (1)

npm/sillytavernfrom 0, < 1.17.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Description

Affected packages (1)

CVSS scores

References (4)