Critical Flaw CVE-2025-59159 (CVSS 9.7) in SillyTavern Allows Full Remote Control of Local AI Instances
Ddos 
The developers of SillyTavern, a popular locally hosted interface for large language models (LLMs) and AI tools, have issued a security advisory warning users of a critical web interface vulnerability — now tracked as CVE-2025-59159 — that could allow remote attackers to gain full control over SillyTavern instances.
With a CVSS score of 9.7, the flaw is classified as critical. According to the advisory, “The web UI for SillyTavern is susceptible to DNS rebinding, allowing attackers to perform actions like install malicious extensions, read your chats, inject arbitrary HTML for stuff like phishing, etc.”
The issue stems from insufficient host validation in the SillyTavern web interface, enabling a DNS rebinding attack — a technique used to bypass browser Cross-Origin Resource Sharing (CORS) restrictions.
As the project maintainers explain, “DNS rebinding is a method to bypass the CORS policies by tricking the browser into resolving something like 127.0.0.1 for a site’s DNS address.”
This effectively means that a malicious website could cause a victim’s browser to treat the local SillyTavern instance as a trusted domain, granting the attacker unauthorized access to its backend API. “This allows anybody to get remote access to anyone’s SillyTavern instance without it being exposed, just by visiting a website,” the advisory warns.
The implications are serious: attackers could silently extract sensitive chat logs, deploy rogue extensions, or even perform arbitrary HTML injection leading to phishing attacks.
The advisory summarizes the danger: “Basically just full control over your SillyTavern.”
The project team shared a proof-of-concept (PoC) that highlights how trivial it is to exploit the flaw. The attack relies on a malicious web page hosted on a remote server that continuously rebinding its DNS to point to 127.0.0.1, eventually fooling the browser into sending authenticated requests to the victim’s local SillyTavern instance.
The advisory walks through the attack setup in five steps — including using a rebind.html payload and public rebinding services such as lock.cmpxchg8b.com/rebinder.html — demonstrating that no prior authentication or network exposure is required to compromise a target running SillyTavern locally.
Once the rebind succeeds, attackers can read API responses directly in the browser console, confirming access to the victim’s data.
SillyTavern is widely used as a personal front-end for AI model APIs such as OpenAI, Anthropic Claude, KoboldAI, and Mistral, as well as image generation systems like Stable Diffusion via Automatic1111 and ComfyUI.
Given this deep integration, an attacker exploiting CVE-2025-59159 could potentially access stored API keys, chat histories, and configuration data. Even installations hosted only on local networks or Termux mobile environments are at risk if users visit a malicious website while SillyTavern is running.
The developers patched the vulnerability in version 1.13.4, introducing a new server configuration option to restrict inbound HTTP requests to a list of approved hostnames.
This feature can be configured either through the config.yaml file (hostWhitelist.enabled) or the environment variable SILLYTAVERN_HOSTWHITELIST_ENABLED. However, for compatibility reasons, the new setting is disabled by default, requiring users to manually enable host validation for protection.
The maintainers urge users to take action: “Existing and new users are encouraged to review their server configurations and apply necessary changes to their setup, especially if hosting over the local network while not using SSL.”
Donate