Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
Although SSRF is validated against hostnames that resolve to private IPv6 addresses, when providing the IPV6 in URL as http://[::1], the SSRF defenses do not work.
Details
https://github.com/Hmbown/DeepSeek-TUI/blob/15f62e3e93d842f30b428877819ebc1c8cb96814/crates/tui/src/tools/fetch_url.rs#L321
PoC
Prompt: Run fetch_url tool and give output, no thinking. Use url : http://[::1]
Impact
Access to local restricted resources
AnalysisAI
Server-Side Request Forgery in DeepSeek-TUI's fetch_url tool allows remote attackers to bypass IPv6 SSRF protections and access local restricted resources. The vulnerability exists in versions prior to 0.8.26 where supplying IPv6 addresses in bracket notation (http://[::1]) circumvents hostname-based validation that only checks resolved addresses, not literal IPv6 URLs. Public exploit code exists with a working proof-of-concept requiring only user interaction to trigger via a malicious prompt. CVSS score of 7.4 reflects high confidentiality impact with scope change, though EPSS data is not available for this recently disclosed vulnerability.
Technical ContextAI
DeepSeek-TUI is a Rust-based terminal user interface for DeepSeek AI models (pkg:rust/deepseek-tui) that includes a fetch_url tool for retrieving external content. The vulnerability stems from CWE-918 (Server-Side Request Forgery) in the URL validation logic at crates/tui/src/tools/fetch_url.rs line 321. The SSRF protection mechanism validates hostnames by resolving them to IP addresses and rejecting private IPv6 ranges, but fails to handle IPv6 addresses provided directly in RFC 2732 bracket notation (http://[::1]). This implementation gap allows the literal IPv6 loopback address to bypass the resolver-based validation entirely, as the check occurs after hostname resolution rather than during URL parsing. The Rust crate's architecture separates the dispatcher (deepseek-tui-cli) from the runtime (deepseek-tui), both of which must be present for the application to function.
RemediationAI
Upgrade to DeepSeek-TUI version 0.8.26 or later, which includes a fix for the IPv6 SSRF bypass. For npm installations, run 'npm install -g deepseek-tui' to update to the patched version. For Cargo installations, run 'cargo install deepseek-tui-cli deepseek-tui --locked --force' to reinstall both required binaries. Docker users should update to the v0.8.26 tag or latest using 'docker pull ghcr.io/hmbown/deepseek-tui:v0.8.26'. Manual binary installations require downloading both the dispatcher and runtime binaries for your platform from the v0.8.26 release at https://github.com/Hmbown/DeepSeek-TUI/releases/tag/v0.8.26 and verifying checksums against deepseek-artifacts-sha256.txt. If immediate patching is not feasible, implement network-level restrictions to prevent the DeepSeek-TUI process from accessing sensitive localhost services (block outbound connections from the application to ports 80, 443, 3306, 5432, 6379, 8080, 9200, and cloud metadata endpoints at 169.254.169.254/::1). Note this workaround degrades legitimate fetch_url functionality and is not a complete mitigation as attackers may target non-standard ports. Consider running DeepSeek-TUI in containerized environments with restrictive network policies as defense-in-depth, though this does not prevent exploitation of services within the same container. Do not rely on prompt filtering as the primary control-the vulnerability exists at the URL validation layer regardless of input source.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32963
GHSA-88gh-2526-gfrr