Skip to main content

DeepSeek-TUI EUVDEUVD-2026-32963

| CVE-2026-45373 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-14 https://github.com/Hmbown/DeepSeek-TUI GHSA-88gh-2526-gfrr
7.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.4 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 14, 2026 - 22:01 vuln.today
Analysis Generated
May 14, 2026 - 22:01 vuln.today
CVE Published
May 14, 2026 - 20:29 nvd
HIGH 7.4

DescriptionGitHub Advisory

Summary

Although SSRF is validated against hostnames that resolve to private IPv6 addresses, when providing the IPV6 in‌‌ URL‌ as http://[::1], the SSRF defenses do not work.

Details

https://github.com/Hmbown/DeepSeek-TUI/blob/15f62e3e93d842f30b428877819ebc1c8cb96814/crates/tui/src/tools/fetch_url.rs#L321

PoC

Prompt:‌ Run fetch_url tool and give output, no thinking. Use url : http://[::1]

Impact

Access to local restricted resources

AnalysisAI

Server-Side Request Forgery in DeepSeek-TUI's fetch_url tool allows remote attackers to bypass IPv6 SSRF protections and access local restricted resources. The vulnerability exists in versions prior to 0.8.26 where supplying IPv6 addresses in bracket notation (http://[::1]) circumvents hostname-based validation that only checks resolved addresses, not literal IPv6 URLs. Public exploit code exists with a working proof-of-concept requiring only user interaction to trigger via a malicious prompt. CVSS score of 7.4 reflects high confidentiality impact with scope change, though EPSS data is not available for this recently disclosed vulnerability.

Technical ContextAI

DeepSeek-TUI is a Rust-based terminal user interface for DeepSeek AI models (pkg:rust/deepseek-tui) that includes a fetch_url tool for retrieving external content. The vulnerability stems from CWE-918 (Server-Side Request Forgery) in the URL validation logic at crates/tui/src/tools/fetch_url.rs line 321. The SSRF protection mechanism validates hostnames by resolving them to IP addresses and rejecting private IPv6 ranges, but fails to handle IPv6 addresses provided directly in RFC 2732 bracket notation (http://[::1]). This implementation gap allows the literal IPv6 loopback address to bypass the resolver-based validation entirely, as the check occurs after hostname resolution rather than during URL parsing. The Rust crate's architecture separates the dispatcher (deepseek-tui-cli) from the runtime (deepseek-tui), both of which must be present for the application to function.

RemediationAI

Upgrade to DeepSeek-TUI version 0.8.26 or later, which includes a fix for the IPv6 SSRF bypass. For npm installations, run 'npm install -g deepseek-tui' to update to the patched version. For Cargo installations, run 'cargo install deepseek-tui-cli deepseek-tui --locked --force' to reinstall both required binaries. Docker users should update to the v0.8.26 tag or latest using 'docker pull ghcr.io/hmbown/deepseek-tui:v0.8.26'. Manual binary installations require downloading both the dispatcher and runtime binaries for your platform from the v0.8.26 release at https://github.com/Hmbown/DeepSeek-TUI/releases/tag/v0.8.26 and verifying checksums against deepseek-artifacts-sha256.txt. If immediate patching is not feasible, implement network-level restrictions to prevent the DeepSeek-TUI process from accessing sensitive localhost services (block outbound connections from the application to ports 80, 443, 3306, 5432, 6379, 8080, 9200, and cloud metadata endpoints at 169.254.169.254/::1). Note this workaround degrades legitimate fetch_url functionality and is not a complete mitigation as attackers may target non-standard ports. Consider running DeepSeek-TUI in containerized environments with restrictive network policies as defense-in-depth, though this does not prevent exploitation of services within the same container. Do not rely on prompt filtering as the primary control-the vulnerability exists at the URL validation layer regardless of input source.

Share

EUVD-2026-32963 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy