{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/deepseek/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["deepseek-tui (\u003c 0.8.22)","deepseek-tui-cli (\u003c 0.8.22)"],"_cs_severities":["high"],"_cs_tags":["ssrf","prompt-injection","cloud-metadata"],"_cs_type":"advisory","_cs_vendors":["DeepSeek"],"content_html":"\u003cp\u003eDeepSeek TUI is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-45310) in versions prior to 0.8.22. The vulnerability exists in the \u003ccode\u003efetch_url\u003c/code\u003e tool, which is intended to prevent SSRF attacks by validating the initial URL\u0026rsquo;s resolved IP address against a restricted-IP blocklist. However, the HTTP client (\u003ccode\u003ereqwest\u003c/code\u003e) is configured to automatically follow up to 5 redirects without re-validating the redirect target against the same SSRF protections. This allows an attacker to bypass the SSRF protection by using a redirect to a restricted IP address. The attack is triggered via prompt injection, where malicious instructions embedded in files or web content cause the model to call \u003ccode\u003efetch_url\u003c/code\u003e with an attacker-controlled URL. This allows an attacker to exfiltrate sensitive information from cloud-hosted instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a DeepSeek TUI instance running a vulnerable version (\u0026lt; 0.8.22).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a prompt containing a malicious URL that exploits the \u003ccode\u003efetch_url\u003c/code\u003e tool. This prompt could be injected via a file or web content processed by the model.\u003c/li\u003e\n\u003cli\u003eThe malicious URL points to a publicly accessible server (e.g., httpbin.org) configured to redirect the request.\u003c/li\u003e\n\u003cli\u003eThe redirect target is a restricted IP address, such as a cloud metadata endpoint (e.g., \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeepSeek TUI\u0026rsquo;s \u003ccode\u003efetch_url\u003c/code\u003e tool validates the initial URL, which passes the SSRF filter because it points to a public domain.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ereqwest\u003c/code\u003e HTTP client automatically follows the redirect to the restricted IP address \u003cem\u003ewithout\u003c/em\u003e re-validating against the SSRF filter.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efetch_url\u003c/code\u003e tool connects to the restricted IP address and retrieves sensitive data, such as cloud IAM credentials or instance metadata.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the retrieved data, potentially gaining unauthorized access to cloud resources or sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability (CVE-2026-45310) allows an attacker to bypass intended security controls and access internal services. On cloud-hosted instances (AWS, GCP, Azure), an attacker can exfiltrate cloud IAM credentials, instance metadata, and other sensitive internal service data by redirecting \u003ccode\u003efetch_url\u003c/code\u003e to \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/\u003c/code\u003e. This can lead to privilege escalation, data breaches, and unauthorized access to sensitive resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to DeepSeek TUI version 0.8.22 or later to patch the SSRF vulnerability (CVE-2026-45310).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization to prevent prompt injection attacks that could trigger the \u003ccode\u003efetch_url\u003c/code\u003e tool with malicious URLs.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from DeepSeek TUI instances for connections to internal IP addresses, as indicated in the IOCs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect attempts to bypass the SSRF filter by redirecting to restricted IP addresses.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T20:36:59Z","date_published":"2026-05-14T20:36:59Z","id":"https://feed.craftedsignal.io/briefs/2026-05-deepseek-tui-ssrf/","summary":"DeepSeek TUI is vulnerable to a Server-Side Request Forgery (SSRF) attack (CVE-2026-45310) because the `fetch_url` tool validates the initial URL against a restricted-IP blocklist but fails to re-validate redirect targets, allowing attackers to exfiltrate sensitive information from cloud-hosted instances by using a redirect to a restricted IP address.","title":"DeepSeek TUI SSRF Vulnerability via HTTP Redirect Bypass (CVE-2026-45310)","url":"https://feed.craftedsignal.io/briefs/2026-05-deepseek-tui-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — DeepSeek","version":"https://jsonfeed.org/version/1.1"}