CVE-2025-59159 Overview
CVE-2025-59159 is a DNS rebinding vulnerability affecting SillyTavern, a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. In versions prior to 1.13.4, the web user interface is susceptible to DNS rebinding attacks, allowing remote attackers to bypass same-origin policy protections and perform unauthorized actions on the local SillyTavern instance.
This vulnerability falls under CWE-346 (Origin Validation Error) and enables attackers to install malicious extensions, read private chat conversations, and inject arbitrary HTML content for phishing attacks against users running vulnerable SillyTavern installations.
Critical Impact
Remote attackers can exploit DNS rebinding to compromise local SillyTavern installations, enabling unauthorized access to sensitive chat data, installation of malicious extensions, and HTML injection for phishing attacks.
Affected Products
- SillyTavern versions prior to 1.13.4
- SillyTavern installations hosted on local networks without SSL
- SillyTavern deployments with default host validation settings
Discovery Timeline
- 2025-10-06 - CVE-2025-59159 published to NVD
- 2025-10-08 - Last updated in NVD database
Technical Details for CVE-2025-59159
Vulnerability Analysis
DNS rebinding is a technique that allows an attacker to bypass the browser's same-origin policy by manipulating DNS responses. When a user visits a malicious website, the attacker's DNS server initially resolves to the attacker's IP address. After the browser caches this resolution, the DNS server changes the record to point to the victim's internal network address (such as 127.0.0.1 or a local network IP), allowing the attacker's JavaScript code to make requests to the local SillyTavern instance as if it were the same origin.
Prior to version 1.13.4, SillyTavern did not validate the Host header in incoming HTTP requests, making it vulnerable to this attack vector. An attacker could craft a malicious page that, when visited by a SillyTavern user, would execute API calls against the local SillyTavern server with the user's session context.
Root Cause
The root cause of this vulnerability is the lack of host validation in inbound HTTP requests. SillyTavern's web server did not implement any mechanism to verify that incoming requests originated from legitimate hostnames. This allowed DNS rebinding attacks to succeed because the server would accept requests from any hostname, including attacker-controlled domains that had been rebinded to localhost.
The vulnerability is classified as CWE-346 (Origin Validation Error), where the software fails to properly verify that an incoming request originates from an expected source.
Attack Vector
The attack requires user interaction—specifically, the victim must visit a malicious webpage while running a vulnerable SillyTavern instance. The attack flow proceeds as follows:
- Attacker sets up a malicious website with JavaScript payload and a DNS server with a short TTL
- Victim visits the malicious site; DNS initially resolves to attacker's server
- After TTL expires, DNS rebinds to victim's local SillyTavern instance (e.g., 127.0.0.1:8000)
- Attacker's JavaScript now executes against the local SillyTavern API
- Attacker can read chats, install extensions, or inject malicious HTML
The security patch introduces host whitelisting middleware that validates incoming request hostnames against an allowed list:
+import path from 'node:path';
+import { color, getConfigValue, safeReadFileSync } from '../util.js';
+import { serverDirectory } from '../server-directory.js';
+import { isHostAllowed, hostValidationMiddleware } from 'host-validation-middleware';
+
+const knownHosts = new Set();
+const maxKnownHosts = 1000;
+
+const hostWhitelistEnabled = !!getConfigValue('hostWhitelist.enabled', false);
+const hostWhitelist = Object.freeze(getConfigValue('hostWhitelist.hosts', []));
+const hostWhitelistScan = !!getConfigValue('hostWhitelist.scan', false, 'boolean');
+
+const hostNotAllowedHtml = safeReadFileSync(path.join(serverDirectory, 'public/error/host-not-allowed.html'))?.toString() ?? '';
+
+const validationMiddleware = hostValidationMiddleware({
+ allowedHosts: hostWhitelist,
+ generateErrorMessage: () => hostNotAllowedHtml,
+ errorResponseContentType: 'text/html',
+});
+
+/**
+ * Middleware to validate remote hosts.
+ * Useful to protect against DNS rebinding attacks.
+ * @param {import('express').Request} req Request
+ * @param {import('express').Response} res Response
+ * @param {import('express').NextFunction} next Next middleware
+ */
+export default function hostWhitelistMiddleware(req, res, next) {
+ const hostValue = req.headers.host;
+ if (hostWhitelistScan && !isHostAllowed(hostValue, hostWhitelist) && !knownHosts.has(hostValue) && knownHosts.size < maxKnownHosts) {
Source: SillyTavern Commit Update
Detection Methods for CVE-2025-59159
Indicators of Compromise
- Unexpected HTTP requests to SillyTavern with unusual Host headers not matching expected hostnames
- Web server logs showing requests from domains not recognized in the deployment configuration
- Unauthorized extensions appearing in the SillyTavern installation
- Unexpected modifications to chat history or configuration files
Detection Strategies
- Monitor SillyTavern server logs for HTTP requests with Host headers containing unfamiliar or suspicious domain names
- Implement network monitoring to detect DNS rebinding patterns, such as rapid DNS TTL changes for the same domain
- Review installed extensions periodically for any unauthorized or unrecognized additions
- Deploy endpoint detection solutions to identify suspicious JavaScript execution patterns in browsers accessing local services
Monitoring Recommendations
- Enable verbose logging in SillyTavern to capture all incoming request headers for forensic analysis
- Configure network security tools to alert on DNS queries with unusually short TTL values
- Implement browser-based monitoring for users to detect unexpected cross-origin requests to localhost
- Establish baseline behavior for SillyTavern API usage to identify anomalous activity patterns
How to Mitigate CVE-2025-59159
Immediate Actions Required
- Upgrade SillyTavern to version 1.13.4 or later immediately
- Enable the host whitelisting feature by setting hostWhitelist.enabled to true in config.yaml
- Configure the hostWhitelist.hosts array with allowed hostnames for your deployment
- Review and audit any installed extensions for unauthorized or suspicious additions
Patch Information
The vulnerability has been patched in SillyTavern version 1.13.4. The fix introduces a server configuration setting that enables validation of host names in inbound HTTP requests according to a provided list of allowed hosts. Users can enable this protection through:
- Setting hostWhitelist.enabled in the config.yaml file
- Using the SILLYTAVERN_HOSTWHITELIST_ENABLED environment variable
Note that while the setting is disabled by default to maintain backwards compatibility with existing configurations, users are strongly encouraged to enable host whitelisting, especially when hosting SillyTavern over a local network without SSL.
For detailed configuration guidance, refer to the SillyTavern Host Whitelisting Documentation and the SillyTavern Security Checklist.
Workarounds
- Enable SSL/TLS for SillyTavern deployments to prevent DNS rebinding from succeeding in most browsers
- Restrict SillyTavern to listen only on 127.0.0.1 and avoid exposing it on network interfaces accessible to other devices
- Use browser extensions or network-level controls to block DNS rebinding attempts
- Deploy SillyTavern behind a reverse proxy with proper host header validation configured
# Configuration example for config.yaml
# Enable host whitelisting to prevent DNS rebinding attacks
hostWhitelist:
enabled: true
hosts:
- localhost
- 127.0.0.1
scan: true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
