R1, the latest large language model (LLM) of the Chinese startup Deepseek, is under fire for multiple security weaknesses.
The projectors of the company on the performance of its LLM reasoning also carried out a meticulous examination. A handful of security research reports published at the end of January highlighted the defects of the model.
In addition, the LLM underforms critically in a newly launched AI security reference designed to help security practitioners and developers to test LLM applications for rapid injection attacks that can lead to operations.
Deepseek-R1: Top interpreter with security problems
Like O1 of Openai, Deepseek-R1 is a model of reasoning, an AI formed with the strengthening learning to carry out a complex reasoning.
As of January 31, 2025, R1 was ranked sixth on the Chatbot Arena BenchmarkOne of the most recognized methods to assess LLM performance.
This means that R1 works better than the main models such as Meta’s Lalama 3.1-405B, O1 of Openai and Claude 3.5 of Anthropic.
However, the latest Deepseek model works badly in Simple fast injection kit for assessment and exploitation (Spikee), a new AI security reference.
Read more: Chinese Genai startup Deepseek Sparks Global Privacy Debate
Withsecure Spikee Benchmark
This reference, launched on January 28, is designed to test the AI models for their resistance to cause injection attacks with real cases of using the workflow of the AI.
In practice, researchers from WithSecure Consulting have evaluated the sensitivity of LLM and their applications to targeted rapid injection attacks, analyzing their ability to distinguish data and instructions.
Speak with InfoscussionDonato Capitella, IA security researcher at Withsecure Consulting, explained: “Unlike existing tools that focus on large jailbreak scenarios (for example, asking an LLM to build a bomb), Spikee prioritizes the threats of Cybersecurity such as data exfiltration, cross scripts (XSS) (XSS) (and resource exhaustion, based on real results and Pentisting practices. »»
“Instead of focusing on large fast injection scenarios, we try to assess how a hacker can target an organization or tool on which an organization has built or relying, with an LLM”, He added.
At the time of the editorial staff of the editorial staff, the security consulting team tested 19 LLM against a set of data in English only from 1912 entries built in December 2024, including common rapid injection models observed in its Practice of slopes and safety insurance.


The researchers evaluated the use cases on the basis of four scenarios:
- Naked prompt: LLM is used in a workflow or an application without having received instructions
- With a system message: the LLM used in a workflow or an application is provided with specific rules intended to protect rapid injection attacks
- With the spotlight: the LLM used in a workflow or an application is provided with data markers indicating where to apply the original task in the original prompt
- With System + Spot Lupting: The LLM used in a workflow or an application receives specific rules intended to protect injection attacks and rapid data markers to install it where to apply the given task in the original prompt
Capitella noted that the addition of specific rules and markers of data can help protect workflows or LLM applications from rapid injection attacks which would otherwise succeed when the LLM is used alone.
Deepseek-R1 ranks 17th Of the 19 llm tested when used in isolation – with a success rate of attack (ASR) of 77% – and 16th When used alongside predefined rules and markers, with an ASR of 55%.
In comparison, O1 -PREVIEW D’OPENAI ranks fourth when used in isolation – with an ASR of 27% – and at the top of the ranking when used alongside rules and markers of predefined data, tests do not showing no successful attack on the LLM.
According to Capitella, a bad score means that the Deepseek team responsible for building R1 “has neglected training and safety training to make the model resistant to the types of attacks that we have observed”.
Instead, they probably focused on carrying out certain scores in specific LLM performance marks.
“The organizations arranged to use Deepseek-R1 in their workflows should carefully examine the use cases for which they wish to use it, the data to which they plan to give it access and what they could expose this data,” added the researcher.
Security reports highlight the vulnerabilities of Deepseek-R1
In addition, security reports have started to show that R1 also has many security weaknesses that could expose all organizations deploy the LLM.
According to a January 27 report of the Kela Cyber, Deepseek-R1 Council is very sensitive to cyber-men, which makes it an easy target for attackers exploiting the Vulnerabilities of the AI.
Kela cyber tests has revealed that the model can be easily jailbreaké Using a variety of techniques, in particular via the “Jailbreak evil” method, which exploits the model by encouraging it to adopt a “evil” personality.
The Red Teamers were able to Jailbreaker GPT 3.5 from Openai using this technique in 2023. Openai has since implemented the appropriate goalkeeper to make the jailbreaks ineffective on subsequent models, including GPT-4 and GPT-4O.


The Palo Alto Networks research team, Unit 42, noted that the R1 and V3 models of Deepseek are vulnerable to three distinct jailbreaking techniques: crescendo, deceptive delight and bad judge of Likert.
Crescendo is a well -known jailbreak technique taking advantage of the knowledge of an LLM by gradually inciting it with related content, subtly guiding the conversation to prohibited subjects until the model safety mechanisms are actually replaced.
The misleading pleasure and the bad judge of Likert are two new techniques developed by unit 42.
The first is a simple and multi-tours jailbreaking technique where an attacker bypassing the safety measures of an LLM by integrating dangerous subjects among those mild in a positive story.
This last jailbreaks technique manipulates an LLM by asking it to assess the harmful of the responses using a Likert scale, a measure of the agreement or the disagreement to a declaration. The LLM is then invited to generate examples aligned on these notes, with the best rated examples potentially containing the desired harmful content.
Unit 42 shared their results a report Posted on January 30.
Safety company Ai Enkryptai did a red team exercise On several LLM using three security frameworks: Owasp Top 10 for LLMS, Miter Atlas and the framework of the National Institute of Standards and Technology IA Risk Management (NIST AI RMF).
The LLMS tested by Enkryptai included Deepseek-R1, Open AI, O1, GPT-4O of Openai and Claude-3-Opus of Anthropic.
The Red Teamers found that compared to the O1 model of Openai, R1 was four times more vulnerable to the generation of unsecured code and 11 times more likely to create harmful outings.
A fourth report from the AI Protect AI security company has seen no vulnerability in the official version of Deepseek-R1, as downloaded from the Huggingface IA standard. However, researchers Found refined variants of non -safe Deepseek models who have the capacity to execute arbitrary code when loading the model or to have suspicious architectural models.
Infocurity contacted Deepseek for comments, but the company did not respond from publication time.
Photo credit: Michele Ursi / Robert Way / Shutterstock
Read more: Deepseek Exposed Database Fuise sensitive data