Description
CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.22, the fetch_url tool validates the initial URL's resolved IP address against a restricted-IP blocklist (is_restricted_ip()) to prevent SSRF attacks against internal services (cloud metadata endpoints, localhost, private networks). However, the HTTP client (reqwest) is configured to automatically follow up to 5 redirects (reqwest::redirect::Policy::limited(5)) without re-validating the redirect target against the same SSRF protections. This vulnerability is fixed in 0.8.22.
Published: 2026-05-28
Score: 7.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The fetch_url tool in CodeWhale validates the initial URL against a restricted IP blocklist to stop SSRF attacks. However, the HTTP client is configured to follow up to five redirects without re‑applying the blocklist check. A malicious URL that redirects to an internal address therefore bypasses the SSRF protection, allowing the attacker to cause CodeWhale to retrieve resources from internal services such as cloud metadata endpoints, localhost, or private networks. This can lead to disclosure of sensitive internal data, privilege escalation, or disruption of internal services.

Affected Systems

Hmbown CodeWhale versions prior to 0.8.22 are affected. Users running any release before 0.8.22 that uses fetch_url are vulnerable.

Risk and Exploitability

The CVSS score of 7.4 classifies this flaw as High severity. EPSS is not available and the vulnerability is not listed in CISA KEV, suggesting that public exploitation activity has not yet been observed. The likely attack vector is either local or remote depending on how the fetch_url command is invoked; an attacker who can supply a malicious URL to CodeWhale can induce the tool to resolve an internal address via a redirect chain. Proper validation of redirect targets would mitigate the risk, but without it the flaw can be exploited with access to the fetch_url interface.

Generated by OpenCVE AI on May 28, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CodeWhale to version 0.8.22 or later to eliminate the SSRF bypass.
  • If upgrading immediately is not feasible, disable automatic redirect following for fetch_url or limit the number of allowed redirects to zero.
  • Monitor outgoing HTTP traffic from CodeWhale for unexpected connections to internal IP ranges to detect potential misuse.

Generated by OpenCVE AI on May 28, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-96ff-gc8g-wpvg DeepSeek TUI has SSRF via HTTP Redirect Bypass in fetch_url Tool
History

Thu, 28 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.22, the fetch_url tool validates the initial URL's resolved IP address against a restricted-IP blocklist (is_restricted_ip()) to prevent SSRF attacks against internal services (cloud metadata endpoints, localhost, private networks). However, the HTTP client (reqwest) is configured to automatically follow up to 5 redirects (reqwest::redirect::Policy::limited(5)) without re-validating the redirect target against the same SSRF protections. This vulnerability is fixed in 0.8.22.
Title CodeWhale: SSRF via HTTP Redirect Bypass in fetch_url Tool
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T17:30:09.575Z

Reserved: 2026-05-11T20:50:30.538Z

Link: CVE-2026-45310

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-28T18:16:35.037

Modified: 2026-05-28T18:40:37.990

Link: CVE-2026-45310

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T19:30:16Z

Weaknesses