GHSA-XC4X-2452-5GC9
Vulnerability from github – Published: 2026-05-12 22:23 – Updated: 2026-05-12 22:23
VLAI
Summary
SillyTavern has a reflected XSS vulnerability in the CORS proxy middleware
Details
Resolution
Fixed in SillyTavern 1.18.0: a user-provided URL is no longer reflected in the HTTP response body.
Overview
- Vulnerability Type: XSS
- Affected Location:
src/middleware/corsProxy.js:40 - Trigger Scenario: reflected XSS in CORS proxy error response
Root Cause
When fetch(url) throws, the code sends:
res.status(500).send('Error occurred while trying to proxy to: ' + url + ' ' + error).
The url value is attacker-controlled (req.params.url) and is not HTML-escaped before rendering.
Source-to-Sink Chain
- Source (user-controlled input)
-
Entry point:
GET /proxy/:url(*) -
Data flow
- Code analysis shows concrete propagation into this sink:
- vulnerability title:
Reflected XSS in CORS proxy error response - sink location reached by attacker-controlled input:
src/middleware/corsProxy.js:40 -
The same sink behavior is confirmed by controlled execution observations.
-
Sink (dangerous operation)
- Sink location:
src/middleware/corsProxy.js:40 - Vulnerable behavior: reflected XSS in CORS proxy error response
Exploitation Preconditions
- The attacker can inject controllable content into a rendered response.
- The vulnerable rendering context does not apply strict output encoding/sanitization.
- A victim user opens the affected page or response.
Risk
This issue enables script execution in the victim context and can compromise session or data integrity.
Impact
An attacker may run arbitrary JavaScript in the victim context, steal tokens, and manipulate user-visible behavior.
Remediation
- Never concatenate raw user input into HTML error responses.
- If URL echo is required, HTML-escape it or force plain-text output.
- Re-enable/strengthen CSP to reduce reflected injection impact.
Severity
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.17.0"
},
"package": {
"ecosystem": "npm",
"name": "sillytavern"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44651"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-12T22:23:56Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Resolution\n\nFixed in SillyTavern 1.18.0: a user-provided URL is no longer reflected in the HTTP response body.\n\n## Overview\n- Vulnerability Type: XSS\n- Affected Location: `src/middleware/corsProxy.js:40`\n- Trigger Scenario: reflected XSS in CORS proxy error response\n\n## Root Cause\nWhen `fetch(url)` throws, the code sends:\n`res.status(500).send(\u0027Error occurred while trying to proxy to: \u0027 + url + \u0027 \u0027 + error)`.\nThe `url` value is attacker-controlled (`req.params.url`) and is not HTML-escaped before rendering.\n\n## Source-to-Sink Chain\n1. Source (user-controlled input)\n- Entry point: `GET /proxy/:url(*)`\n\n2. Data flow\n- Code analysis shows concrete propagation into this sink:\n - vulnerability title: `Reflected XSS in CORS proxy error response`\n - sink location reached by attacker-controlled input: `src/middleware/corsProxy.js:40`\n- The same sink behavior is confirmed by controlled execution observations.\n\n3. Sink (dangerous operation)\n- Sink location: `src/middleware/corsProxy.js:40`\n- Vulnerable behavior: reflected XSS in CORS proxy error response\n\n## Exploitation Preconditions\n1. The attacker can inject controllable content into a rendered response.\n2. The vulnerable rendering context does not apply strict output encoding/sanitization.\n3. A victim user opens the affected page or response.\n\n## Risk\nThis issue enables script execution in the victim context and can compromise session or data integrity.\n\n## Impact\nAn attacker may run arbitrary JavaScript in the victim context, steal tokens, and manipulate user-visible behavior.\n\n## Remediation\n1. Never concatenate raw user input into HTML error responses.\n2. If URL echo is required, HTML-escape it or force plain-text output.\n3. Re-enable/strengthen CSP to reduce reflected injection impact.",
"id": "GHSA-xc4x-2452-5gc9",
"modified": "2026-05-12T22:23:56Z",
"published": "2026-05-12T22:23:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-xc4x-2452-5gc9"
},
{
"type": "PACKAGE",
"url": "https://github.com/SillyTavern/SillyTavern"
},
{
"type": "WEB",
"url": "https://github.com/SillyTavern/SillyTavern/releases/tag/1.18.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "SillyTavern has a reflected XSS vulnerability in the CORS proxy middleware"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…