Description
The web UI for SillyTavern is susceptible to DNS rebinding, allowing attackers to perform actions like install malicious extensions, read chats, inject arbitrary HTML for phishing, etc.
Recommendation
Update the sillytavern package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.13.4
- Patched version(s): 1.13.4
References
- GHSA-7cxj-w27x-x78q
- docs.sillytavern.app
- CVE-2025-59159
- CWE-346
- CWE-940
- CAPEC-310
- OWASP 2021-A6
- OWASP 2021-A7
Related Issues
- Atro CSRF Middleware Bypass (security.checkOrigin) - CVE-2024-56140
- Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) - CVE-2020-8203
- Better Call routing bug can lead to Cache Deception - Vulnerability
- QMarkdown Cross-Site Scripting (XSS) vulnerability - CVE-2025-43954
- Tags:
- npm
- sillytavern
Anything's wrong? Let us know Last updated on October 06, 2025