CVE-2025-63872 – DeepSeek V3.2 contains an XSS vulnerability whe... (How to Fix)

Q: What is the severity of CVE-2025-63872?

CVE-2025-63872 has a CVSS score of 6.1 (MEDIUM). DeepSeek V3.2 contains an XSS vulnerability where malicious JavaScript can be executed through SVG content generated by the model. This affects users who view or interact with SVG content from DeepSeek V3.2, potentially allowing attackers to steal session cookies, redirect users, or perform actions on their behalf.

📋 TL;DR

DeepSeek V3.2 contains an XSS vulnerability where malicious JavaScript can be executed through SVG content generated by the model. This affects users who view or interact with SVG content from DeepSeek V3.2, potentially allowing attackers to steal session cookies, redirect users, or perform actions on their behalf.

💻 Affected Systems

Products:

DeepSeek Chat

Versions: V3.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems running DeepSeek V3.2 with SVG generation capabilities enabled.

📦 What is this software?

Deepseek by Deepseek

View all CVEs affecting Deepseek →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal user session tokens, perform account takeover, redirect users to malicious sites, or execute arbitrary actions in the context of the victim's authenticated session.

🟠

Likely Case

Session hijacking, credential theft, or unauthorized actions performed within the user's DeepSeek session.

🟢

If Mitigated

Limited impact if proper Content Security Policy (CSP) headers are implemented and SVG sanitization is enforced.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction with malicious SVG content, but the technical barrier is low given public proof-of-concept details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Monitor DeepSeek official channels for security updates. 2. Upgrade to a patched version when available. 3. Apply workarounds in the meantime.

🔧 Temporary Workarounds

Implement Content Security Policy

all

Add CSP headers to restrict script execution from untrusted sources.

Add 'Content-Security-Policy: script-src 'self'' to HTTP headers

Disable SVG Generation

all

Temporarily disable SVG content generation in DeepSeek configuration.

Set SVG generation to disabled in application configuration

🧯 If You Can't Patch

Implement strict input validation and output encoding for SVG content
Use web application firewalls (WAF) with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Test if SVG content containing JavaScript executes when rendered in the application.

Check Version:

Check DeepSeek version in application settings or via API endpoint

Verify Fix Applied:

Verify that SVG content is properly sanitized and JavaScript does not execute.

📡 Detection & Monitoring

Log Indicators:

Unusual SVG generation requests
JavaScript execution in SVG content logs

Network Indicators:

HTTP requests with malicious SVG payloads
Unexpected external script loads from SVG content

SIEM Query:

search 'svg' AND 'javascript' in web application logs

📊 Metadata

CVE ID: CVE-2025-63872

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.06% exploit probability (19.3th percentile)

Published: December 2, 2025

Last Updated: January 14, 2026

🔗 References

https://medium.com/@vinitkundu14/cve-2025-63872-svg-based-xss-in-deepseek-chat-v3-2-db4ebc1f1f28 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63872, you might also want to check these: