{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/deepseek-tui--0.3.0--0.8.23/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["deepseek-tui (\u003e= 0.3.0, \u003c 0.8.23)","deepseek-tui-cli (\u003e= 0.3.0, \u003c 0.8.23)"],"_cs_severities":["critical"],"_cs_tags":["rce","prompt-injection","rust","supply-chain"],"_cs_type":"advisory","_cs_vendors":["rust","npm"],"content_html":"\u003cp\u003eDeepSeek TUI is vulnerable to remote code execution (RCE) due to the \u003ccode\u003erun_tests\u003c/code\u003e tool\u0026rsquo;s automatic approval of \u003ccode\u003ecargo test\u003c/code\u003e execution. The \u003ccode\u003erun_tests\u003c/code\u003e tool executes \u003ccode\u003ecargo test\u003c/code\u003e in the workspace with \u003ccode\u003eApprovalRequirement::Auto\u003c/code\u003e, meaning it runs without any user approval prompt. The \u003ccode\u003ecargo test\u003c/code\u003e command compiles and executes arbitrary code, including test binaries, build scripts, and proc macros. A malicious repository can leverage this to execute arbitrary shell commands, exfiltrate credentials, or establish persistence without any user interaction. This vulnerability is amplified by the \u003ccode\u003eAGENTS.md\u003c/code\u003e file, which is auto-loaded into the system prompt and can instruct the model to proactively run tests at session start. This vulnerability affects versions \u0026gt;= 0.3.0 and \u0026lt; 0.8.23 of the deepseek-tui, deepseek-tui-cli, and npm/deepseek-tui packages.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker creates a malicious Rust repository.\u003c/li\u003e\n\u003cli\u003eThe repository includes a \u003ccode\u003eCargo.toml\u003c/code\u003e file, source code (\u003ccode\u003esrc/lib.rs\u003c/code\u003e), and a malicious test file (\u003ccode\u003etests/integration_test.rs\u003c/code\u003e) containing code to execute arbitrary commands, such as exfiltrating data using \u003ccode\u003ecurl\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe repository also contains an \u003ccode\u003eAGENTS.md\u003c/code\u003e file with prompt injection instructions to direct the model to run tests automatically.\u003c/li\u003e\n\u003cli\u003eA user opens the malicious repository in DeepSeek TUI using the \u003ccode\u003edeepseek-tui\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eAGENTS.md\u003c/code\u003e file is automatically loaded into the model\u0026rsquo;s system prompt, instructing the model to run tests.\u003c/li\u003e\n\u003cli\u003eThe model calls the \u003ccode\u003erun_tests\u003c/code\u003e tool, which is auto-approved due to \u003ccode\u003eApprovalRequirement::Auto\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ecargo test\u003c/code\u003e compiles and executes the malicious test code in \u003ccode\u003etests/integration_test.rs\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker receives a callback on their collaborator server, confirming remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to achieve remote code execution on the user\u0026rsquo;s machine. A malicious file in the repository (such as \u003ccode\u003eAGENTS.md\u003c/code\u003e) is auto-loaded into the model\u0026rsquo;s system prompt on session start. This content can contain prompt injection instructions that direct the model to call \u003ccode\u003erun_tests\u003c/code\u003e. Since \u003ccode\u003erun_tests\u003c/code\u003e is auto-approved, the full chain from opening the repo to arbitrary code execution requires zero user approval.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a version of DeepSeek TUI \u0026gt;= 0.8.23 to patch CVE-2026-45311.\u003c/li\u003e\n\u003cli\u003eImplement the suggested mitigation of changing \u003ccode\u003erun_tests\u003c/code\u003e to require approval to prevent automatic execution of potentially malicious code.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ecargo test\u003c/code\u003e executing shell commands, using a rule such as the one provided below to detect potential exploitation of CVE-2026-45311.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T20:36:21Z","date_published":"2026-05-14T20:36:21Z","id":"https://feed.craftedsignal.io/briefs/2026-05-deepseek-tui-rce/","summary":"DeepSeek TUI's `run_tests` tool allows for remote code execution (RCE) via a malicious repository without user approval due to auto-approval of `cargo test` execution, which can be triggered by prompt injection via the `AGENTS.md` file, affecting versions \u003e= 0.3.0 and \u003c 0.8.23.","title":"DeepSeek TUI run_tests Tool Enables RCE via Malicious Repository Without Approval","url":"https://feed.craftedsignal.io/briefs/2026-05-deepseek-tui-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Deepseek-Tui (\u003e= 0.3.0, \u003c 0.8.23)","version":"https://jsonfeed.org/version/1.1"}