GHSA-CCFQ-2454-F5XW

Vulnerability from github – Published: 2026-05-12 22:24 – Updated: 2026-05-12 22:24
VLAI
Summary
SillyTavern has a SSRF vulnerability in the CORS proxy middleware
Details

Resolution

SillyTavern 1.18.0 added a generic server-side request filter (Private Request Whitelisting). Since we expect users to use the application in a trusted environment, the filter is disabled by default, however it is strongly advised to be enabled and properly configured when an instance is being hosted over a network, as suggested by a console warning message and an officially published security checklist for administrators.

Documentation:

  • https://docs.sillytavern.app/administration/config-yaml/#private-address-whitelisting
  • https://docs.sillytavern.app/administration/#security-checklist

Note on future SSRF findings

Since the request filter applies to the entire application, no SSRF vulnerabilities against individual endpoints will be accepted, unless it has been proven that a properly configured and enabled filter can be bypassed in an undocumented way. Only advisories disclosed before the 1.18.0 release will be posted if their concern is SSRF.

Overview

  • Vulnerability Type: SSRF
  • Affected Location: src/middleware/corsProxy.js:31
  • Trigger Scenario: SSRF in optional CORS proxy

Root Cause

corsProxyMiddleware forwards req.params.url directly into fetch(url, ...). It only blocks circular requests to its own host and does not enforce destination allowlist or private/loopback restrictions, enabling SSRF.

Source-to-Sink Chain

  1. Source (user-controlled input)

  2. Entry point: GET /proxy/:url(*)

  3. Data flow

  4. Code analysis shows concrete propagation into this sink:
  5. vulnerability title: SSRF in optional CORS proxy
  6. sink location reached by attacker-controlled input: src/middleware/corsProxy.js:31

  7. The same sink behavior is confirmed by controlled execution observations.

  8. Sink (dangerous operation)

  9. Sink location: src/middleware/corsProxy.js:31
  10. Vulnerable behavior: SSRF in optional CORS proxy

Exploitation Preconditions

  1. The attacker can control or influence a URL/endpoint parameter.
  2. The server can access internal or sensitive network targets.
  3. Outbound request validation or redirect controls are insufficient.

Risk

This issue can be used to pivot network access and reach unintended internal resources.

Impact

An attacker may access internal network services or metadata endpoints and exfiltrate sensitive responses.

Remediation

  1. Enforce strict destination allowlist for proxy targets.
  2. Block loopback, link-local, RFC1918, and metadata address ranges.
  3. Apply the same destination validation to redirects.
Severity
6.9 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.17.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "sillytavern"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.18.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44652"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-12T22:24:05Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Resolution\n\nSillyTavern 1.18.0 added a generic server-side request filter (Private Request Whitelisting). Since we expect users to use the application in a trusted environment, the filter is disabled by default, however it is strongly advised to be enabled and properly configured when an instance is being hosted over a network, as suggested by a console warning message and an officially published security checklist for administrators.\n\nDocumentation: \n\n- https://docs.sillytavern.app/administration/config-yaml/#private-address-whitelisting\n- https://docs.sillytavern.app/administration/#security-checklist\n\n## Note on future SSRF findings\n\nSince the request filter applies to the entire application, no SSRF vulnerabilities against individual endpoints will be accepted, unless it has been proven that a properly configured and enabled filter can be bypassed in an undocumented way. Only advisories disclosed before the 1.18.0 release will be posted if their concern is SSRF.\n\n## Overview\n- Vulnerability Type: SSRF\n- Affected Location: `src/middleware/corsProxy.js:31`\n- Trigger Scenario: SSRF in optional CORS proxy\n\n## Root Cause\n`corsProxyMiddleware` forwards `req.params.url` directly into `fetch(url, ...)`. It only blocks circular requests to its own host and does not enforce destination allowlist or private/loopback restrictions, enabling SSRF.\n\n## Source-to-Sink Chain\n1. Source (user-controlled input)\n- Entry point: `GET /proxy/:url(*)`\n\n2. Data flow\n- Code analysis shows concrete propagation into this sink:\n  - vulnerability title: `SSRF in optional CORS proxy`\n  - sink location reached by attacker-controlled input: `src/middleware/corsProxy.js:31`\n- The same sink behavior is confirmed by controlled execution observations.\n\n3. Sink (dangerous operation)\n- Sink location: `src/middleware/corsProxy.js:31`\n- Vulnerable behavior: SSRF in optional CORS proxy\n\n## Exploitation Preconditions\n1. The attacker can control or influence a URL/endpoint parameter.\n2. The server can access internal or sensitive network targets.\n3. Outbound request validation or redirect controls are insufficient.\n\n## Risk\nThis issue can be used to pivot network access and reach unintended internal resources.\n\n## Impact\nAn attacker may access internal network services or metadata endpoints and exfiltrate sensitive responses.\n\n## Remediation\n1. Enforce strict destination allowlist for proxy targets.\n2. Block loopback, link-local, RFC1918, and metadata address ranges.\n3. Apply the same destination validation to redirects.",
  "id": "GHSA-ccfq-2454-f5xw",
  "modified": "2026-05-12T22:24:05Z",
  "published": "2026-05-12T22:24:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-ccfq-2454-f5xw"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SillyTavern/SillyTavern"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SillyTavern/SillyTavern/releases/tag/1.18.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SillyTavern has a SSRF vulnerability in the CORS proxy middleware"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.