SillyTavern SSRF Vulnerability in SearXNG Search Proxy via Unvalidated baseUrl

SillyTavern version 1.17.0 contains a server-side request forgery (SSRF) vulnerability in the /api/search/searxng route. This endpoint accepts a baseUrl parameter from the request body and uses it to construct outbound HTTP requests without proper validation. An authenticated, low-privilege user can manipulate the baseUrl to point to internal or loopback HTTP services. SillyTavern 1.18.0 introduced a request filter, but it is disabled by default and must be manually enabled and configured. This vulnerability allows attackers to potentially access sensitive data, interact with internal services, and exploit cloud metadata endpoints if the application is not properly secured.

Attack Chain

1. Attacker authenticates to the SillyTavern application using valid credentials.
2. The attacker crafts a POST request to the /api/search/searxng endpoint.
3. In the request body, the attacker sets the baseUrl parameter to a malicious URL, such as an internal service on the loopback address (e.g., http://127.0.0.1:9091/).
4. The attacker sets the query parameter to a benign value to satisfy the application’s requirements.
5. The SillyTavern server receives the POST request and extracts the baseUrl and query parameters.
6. The server constructs a new URL using the attacker-controlled baseUrl and makes an HTTP request to it.
7. The server fetches /search endpoint on the attacker controlled base URL and appends the attacker controlled query parameter (e.g., http://127.0.0.1:9091/search?q=x).
8. The server receives the response from the malicious URL and returns it to the attacker, effectively disclosing information from the internal service.

Impact

Successful exploitation of this SSRF vulnerability allows an attacker to disclose responses from loopback or internal HTTP services reachable from the SillyTavern host. This can lead to the exposure of sensitive information, such as internal admin panels, development services, and cloud metadata endpoints in applicable deployments. It can also enable service discovery across private networks. If the request filter is not enabled and properly configured, the attacker can potentially gain unauthorized access to internal resources and compromise the confidentiality and integrity of the SillyTavern environment.

Recommendation

• Apply a patch upgrading to SillyTavern version 1.18.0 or later.
• Enable and properly configure the Private Request Whitelisting filter in SillyTavern, as described in the documentation: https://docs.sillytavern.app/administration/config-yaml/#private-address-whitelisting and https://docs.sillytavern.app/administration/#security-checklist.
• Deploy the Sigma rule Detect Suspicious SillyTavern SSRF Attempt to your SIEM to detect attempts to exploit CVE-2026-46372.