DNS Rebinding Vulnerability in SillyTavern User Interface
CVE-2025-59159

9.7CRITICAL

Key Information:

Vendor

Sillytavern

Status
Sillytavern
Vendor
CVE Published:
6 October 2025

What is CVE-2025-59159?

SillyTavern is a locally installed user interface that facilitates interactions with various text and image generation models. Prior to version 1.13.4, the application was vulnerable to DNS rebinding attacks. This could allow malicious actors to install harmful extensions, access private chats, and inject arbitrary HTML for phishing purposes. To address this issue, version 1.13.4 introduced a server configuration option to validate hostnames in incoming HTTP requests against a list of allowed hosts. While this setting is off by default to ensure compatibility, users are advised to review their configurations, particularly if operating within local networks without SSL.

Affected Version(s)

SillyTavern < 1.13.4

References

https://github.com/SillyTavern/SillyTavern/security/advis...
x_refsource_CONFIRM
https://github.com/SillyTavern/SillyTavern/commit/d134abd...
x_refsource_MISC
https://docs.sillytavern.app/administration/#security-che...
x_refsource_MISC

CVSS V3.1

Score:
9.7
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-59159 : DNS Rebinding Vulnerability in SillyTavern User Interface