Deepseek-Tui (< 0.8.22) — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/deepseek-tui--0.8.22/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 14 May 2026 20:36:59 +0000DeepSeek TUI SSRF Vulnerability via HTTP Redirect Bypass (CVE-2026-45310)https://feed.craftedsignal.io/briefs/2026-05-deepseek-tui-ssrf/Thu, 14 May 2026 20:36:59 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-deepseek-tui-ssrf/DeepSeek TUI is vulnerable to a Server-Side Request Forgery (SSRF) attack (CVE-2026-45310) because the `fetch_url` tool validates the initial URL against a restricted-IP blocklist but fails to re-validate redirect targets, allowing attackers to exfiltrate sensitive information from cloud-hosted instances by using a redirect to a restricted IP address.DeepSeek TUI is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-45310) in versions prior to 0.8.22. The vulnerability exists in the fetch_url tool, which is intended to prevent SSRF attacks by validating the initial URL’s resolved IP address against a restricted-IP blocklist. However, the HTTP client (reqwest) is configured to automatically follow up to 5 redirects without re-validating the redirect target against the same SSRF protections. This allows an attacker to bypass the SSRF protection by using a redirect to a restricted IP address. The attack is triggered via prompt injection, where malicious instructions embedded in files or web content cause the model to call fetch_url with an attacker-controlled URL. This allows an attacker to exfiltrate sensitive information from cloud-hosted instances.

Attack Chain

  1. The attacker identifies a DeepSeek TUI instance running a vulnerable version (< 0.8.22).
  2. The attacker crafts a prompt containing a malicious URL that exploits the fetch_url tool. This prompt could be injected via a file or web content processed by the model.
  3. The malicious URL points to a publicly accessible server (e.g., httpbin.org) configured to redirect the request.
  4. The redirect target is a restricted IP address, such as a cloud metadata endpoint (e.g., http://169.254.169.254/latest/meta-data/).
  5. DeepSeek TUI’s fetch_url tool validates the initial URL, which passes the SSRF filter because it points to a public domain.
  6. The reqwest HTTP client automatically follows the redirect to the restricted IP address without re-validating against the SSRF filter.
  7. The fetch_url tool connects to the restricted IP address and retrieves sensitive data, such as cloud IAM credentials or instance metadata.
  8. The attacker exfiltrates the retrieved data, potentially gaining unauthorized access to cloud resources or sensitive information.

Impact

Successful exploitation of this SSRF vulnerability (CVE-2026-45310) allows an attacker to bypass intended security controls and access internal services. On cloud-hosted instances (AWS, GCP, Azure), an attacker can exfiltrate cloud IAM credentials, instance metadata, and other sensitive internal service data by redirecting fetch_url to http://169.254.169.254/latest/meta-data/. This can lead to privilege escalation, data breaches, and unauthorized access to sensitive resources.

Recommendation

  • Upgrade to DeepSeek TUI version 0.8.22 or later to patch the SSRF vulnerability (CVE-2026-45310).
  • Implement input validation and sanitization to prevent prompt injection attacks that could trigger the fetch_url tool with malicious URLs.
  • Monitor network connections originating from DeepSeek TUI instances for connections to internal IP addresses, as indicated in the IOCs.
  • Deploy the Sigma rule to detect attempts to bypass the SSRF filter by redirecting to restricted IP addresses.
]]>highadvisoryssrfprompt-injectioncloud-metadata