Description
CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, although SSRF is validated against hostnames that resolve to private IPv6 addresses, when providing the IPV6 in‌‌ URL‌ as http://[::1], the SSRF defenses do not work. This vulnerability is fixed in 0.8.26.
Published: 2026-05-28
Score: 7.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CodeWhale, a terminal coding agent, contains a server side request forgery vulnerability. The flaw allows an attacker to supply an IPv6 loopback address in the URL (http://[::1]) that bypasses the tool's defensive checks that normally block private IPv6 addresses. The attacker can force the application to send requests to local or internal services, potentially exposing sensitive data or enabling privilege escalation. This is a classic SSRF problem classified as CWE-918.

Affected Systems

The vulnerability affects all releases of CodeWhale prior to version 0.8.26, including the DeepSeek‑based terminal agent. The fix was introduced in the 0.8.26 release. Users running CodeWhale 0.8.25 or earlier are therefore exposed.

Risk and Exploitability

With a CVSS score of 7.4, this weakness poses a high impact outage or data disclosure risk. The EPSS is not available, and the vulnerability is not listed in CISA's KEV catalog, suggesting no widely known exploitation. The likely attack vector is remote: a malicious user or compromised input can supply the specially crafted IPv6 URL to the application, causing it to reach a local target. The vulnerability does not require privileged access to the host to trigger.

Generated by OpenCVE AI on May 28, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install CodeWhale version 0.8.26 or later, which contains the SSRF fix
  • If an update cannot be applied immediately, configure the system firewall or application to reject outbound connections to the IPv6 loopback ::1 address
  • Review and enforce URL input validation logic to ensure all IPv6 addresses are fully checked against private ranges before being used in downstream requests

Generated by OpenCVE AI on May 28, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-88gh-2526-gfrr DeepSeek TUI has SSRF‌ IPV6 bypass
History

Thu, 28 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, although SSRF is validated against hostnames that resolve to private IPv6 addresses, when providing the IPV6 in‌‌ URL‌ as http://[::1], the SSRF defenses do not work. This vulnerability is fixed in 0.8.26.
Title CodeWhale: SSRF‌ IPV6 bypass
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T17:29:19.592Z

Reserved: 2026-05-12T00:51:29.086Z

Link: CVE-2026-45373

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-28T18:16:35.717

Modified: 2026-05-28T18:40:37.990

Link: CVE-2026-45373

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T19:30:16Z

Weaknesses