DeepSeek TUI SSRF Vulnerability via IPv6 Bypass (CVE-2026-45373)

DeepSeek TUI versions prior to 0.8.26 are susceptible to a Server-Side Request Forgery (SSRF) vulnerability. The application’s input validation fails to properly sanitize IPv6 addresses provided in URLs, specifically when formatted as http://[::1]. This bypass allows an attacker to potentially circumvent intended access controls and interact with internal or restricted resources that would otherwise be inaccessible from the outside network. This vulnerability allows attackers to potentially read sensitive data or execute commands within the internal network.

Attack Chain

1. Attacker crafts a malicious URL containing an IPv6 address in the format http://[::1].
2. The attacker inputs this URL into the DeepSeek TUI, specifically targeting the fetch_url tool.
3. The fetch_url tool in src/tools/fetch_url.rs attempts to process the provided URL.
4. The application’s SSRF defenses fail to properly validate the IPv6 address [::1].
5. The application initiates a request to the specified IPv6 address (localhost).
6. The request is routed to a local service or resource on the server.
7. The attacker gains access to the content or functionality of the local resource.
8. The attacker can potentially read sensitive information or perform actions within the internal network.

Impact

Successful exploitation of this SSRF vulnerability (CVE-2026-45373) can lead to unauthorized access to internal resources and sensitive information. Attackers could potentially read configuration files, access internal APIs, or even execute arbitrary commands on the server, depending on the accessible local resources. The specific impact depends on the configuration and services running on the targeted host.

Recommendation

• Upgrade DeepSeek TUI to version 0.8.26 or later to remediate CVE-2026-45373.
• Deploy the Sigma rule Detect DeepSeek TUI SSRF Attempt via IPv6 Bypass to detect exploitation attempts.