VYPR
← All advisories
High severityGHSA Advisory· Published May 14, 2026· Updated May 14, 2026

DeepSeek TUI has SSRF via HTTP Redirect Bypass in fetch_url Tool

CVE-2026-45310

Description

Summary

The fetch_url tool validates the initial URL's resolved IP address against a restricted-IP blocklist (is_restricted_ip()) to prevent SSRF attacks against internal services (cloud metadata endpoints, localhost, private networks). However, the HTTP client (reqwest) is configured to automatically follow up to 5 redirects (reqwest::redirect::Policy::limited(5)) without re-validating the redirect target against the same SSRF protections.

PoC

Step 1 — Baseline: Confirm fetch_url blocks direct requests to restricted IPs. `` Prompt: use fetch_url to fetch http://169.254.169.254/latest/meta-data/ Expected: Error — "restricted address (private/loopback/link-local)" ``

Step 2 — SSRF bypass via redirect: Fetch a public URL that redirects to the restricted IP.

Prompt: use fetch_url to fetch http://httpbin.org/redirect-to?url=http://169.254.169.254/latest/meta-data/&status_code=302

Expected result: The error message says "connection refused" or "request failed: connect error" — NOT "restricted address." This proves the SSRF filter was bypassed; the connection failed only because 169.254.169.254 is unreachable from a non-cloud machine.

Observed result: fetch_url followed the 302 redirect and attempted to connect to 169.254.169.254. The error was a TCP-level connection failure, confirming the application-layer SSRF check was not applied to the redirect target.

Step 3 — Redirect to attacker-controlled host: Confirm attacker-controlled redirect targets are followed.

Prompt: use fetch_url to fetch http://httpbin.org/redirect-to?url=http://[collaborator-domain]/ssrf-redirect-bypass&status_code=302
Expected: Collaborator receives HTTP callback at /ssrf-redirect-bypass, confirming the redirect was followed.

Impact

On cloud-hosted instances (AWS, GCP, Azure), an attacker can exfiltrate cloud IAM credentials, instance metadata, and other sensitive internal service data by redirecting fetch_url to http://169.254.169.254/latest/meta-data/. The attack is triggered via prompt injection (malicious instructions embedded in files or web content the model processes) that cause the model to call fetch_url with an attacker-controlled URL.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2026-45310 is a high-severity SSRF vulnerability in DeepSeek-TUI's fetch_url tool, where HTTP redirects bypass the initial IP blocklist check, potentially exposing cloud metadata.

Vulnerability

The fetch_url tool in DeepSeek-TUI validates the initial URL's resolved IP address against a restricted-IP blocklist (is_restricted_ip()) to prevent Server-Side Request Forgery (SSRF) attacks against internal services such as cloud metadata endpoints, localhost, and private networks. However, the HTTP client (reqwest) is configured to automatically follow up to 5 redirects (reqwest::redirect::Policy::limited(5)) without re-validating the redirect target against the same SSRF protections [1][2].

Exploitation

An attacker can exploit this by providing a public URL that initially points to a public URL, which then redirects to a restricted IP address (e.g., http://169.254.169.254/latest/meta-data/). The tool follows the redirect and attempts to connect to the internal address, bypassing the initial IP validation. The attack can be triggered via prompt injection, where malicious instructions are embedded in files processed by the tool [1][2].

Impact

On cloud-hosted instances (AWS, GCP, Azure), an attacker can exfiltrate cloud IAM credentials, instance metadata, and other sensitive internal service data by redirecting fetch_url to the cloud metadata endpoint. The vulnerability has a CVSS score of 7.5 (high), indicating significant potential for data exposure [1][2].

Mitigation

The vulnerability is fixed in version 0.8.22 of DeepSeek-TUI. Users are advised to update to this version or later to ensure that redirect targets are also validated against the restricted-IP blocklist [3].

References
  1. SSRF via HTTP Redirect Bypass in fetch_url Tool
  2. CVE-2026-45310 - GitHub Advisory Database
  3. Release v0.8.22 · Hmbown/DeepSeek-TUI

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
deepseek-tuicrates.io
< 0.8.220.8.22
deepseek-tui-clicrates.io
< 0.8.220.8.22
deepseek-tuinpm
< 0.8.220.8.22

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.