SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-t…

SillyTavern, a locally installed UI for interacting with AI models, has a session management vulnerability prior to version 1.18.0. The application uses cookie-session for authentication, storing session data in signed cookies. Password change and recovery endpoints fail to expire current sessions, and there's no server-side mechanism to revoke tokens. This allows existing sessions to remain valid even after password changes, potentially enabling unauthorized access if sessions are compromised. The vulnerability is fixed in version 1.18.0.