Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-96ff-gc8g-wpvg | DeepSeek TUI has SSRF via HTTP Redirect Bypass in fetch_url Tool |
Sat, 30 May 2026 02:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 29 May 2026 16:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Hmbown
Hmbown codewhale |
|
| Vendors & Products |
Hmbown
Hmbown codewhale |
Thu, 28 May 2026 18:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.22, the fetch_url tool validates the initial URL's resolved IP address against a restricted-IP blocklist (is_restricted_ip()) to prevent SSRF attacks against internal services (cloud metadata endpoints, localhost, private networks). However, the HTTP client (reqwest) is configured to automatically follow up to 5 redirects (reqwest::redirect::Policy::limited(5)) without re-validating the redirect target against the same SSRF protections. This vulnerability is fixed in 0.8.22. | |
| Title | CodeWhale: SSRF via HTTP Redirect Bypass in fetch_url Tool | |
| Weaknesses | CWE-918 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-05-30T02:09:17.696Z
Reserved: 2026-05-11T20:50:30.538Z
Link: CVE-2026-45310
Updated: 2026-05-30T02:09:12.496Z
Status : Deferred
Published: 2026-05-28T18:16:35.037
Modified: 2026-05-30T04:17:17.940
Link: CVE-2026-45310
No data.
OpenCVE Enrichment
Updated: 2026-05-29T15:48:10Z
Github GHSA