HIGH 7.4

CVE-2026-45310: CodeWhale SSRF via HTTP Redirect Bypass (7.4 HIGH)

CodeWhale, a terminal-based AI coding agent, contains a server-side request forgery (SSRF) vulnerability in versions prior to 0.8.22. The application attempts to block requests to sensitive internal services by checking whether the initial URL points to a restricted IP address. However, attackers can bypass this protection by crafting a URL that initially resolves to an allowed address but redirects to an internal service—such as cloud metadata endpoints or localhost—because the HTTP client automatically follows redirects without re-checking the security blocklist. This allows an attacker to trick CodeWhale into making requests to internal systems that should be off-limits.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.4 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Weaknesses (CWE)
CWE-918
Affected products
0 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.22, the fetch_url tool validates the initial URL's resolved IP address against a restricted-IP blocklist (is_restricted_ip()) to prevent SSRF attacks against internal services (cloud metadata endpoints, localhost, private networks). However, the HTTP client (reqwest) is configured to automatically follow up to 5 redirects (reqwest::redirect::Policy::limited(5)) without re-validating the redirect target against the same SSRF protections. This vulnerability is fixed in 0.8.22.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CodeWhale's fetch_url tool implements SSRF protection via the is_restricted_ip() function, which validates the initial resolved IP against a blocklist before making requests. The underlying HTTP client (reqwest) is configured with a permissive redirect policy (reqwest::redirect::Policy::limited(5)) that automatically follows HTTP 3xx redirects up to five times. The vulnerability stems from the fact that redirect targets are not re-validated against the same SSRF blocklist after the initial check passes. An attacker can therefore supply a URL pointing to an allowed destination that responds with a redirect (HTTP 301, 302, etc.) to a restricted address (e.g., 169.254.169.254 for AWS metadata, 127.0.0.1, or private network ranges). The HTTP client will transparently follow the redirect and fetch content from the restricted destination, defeating the intended protection. This is classified as CWE-918 (Server-Side Request Forgery).

Business impact

An attacker without authentication can exploit this vulnerability to read sensitive data from internal services accessible to the CodeWhale process. In cloud environments, this typically includes metadata endpoints containing temporary credentials, role information, and configuration details. In on-premises deployments, attackers could access localhost services or internal network resources. Compromised metadata credentials could lead to further cloud account compromise, lateral movement, and data exfiltration. The requirement for user interaction (UI:R in the CVSS vector) means an attacker must trick a CodeWhale user into executing a malicious request—for example, by embedding it in a prompt or requesting the user run a specific command—but this is a relatively low bar in the context of an AI agent that processes arbitrary user input.

Affected systems

CodeWhale versions prior to 0.8.22 are affected. The application runs as a terminal-based agent and would be vulnerable when installed and used in environments where the process has network access to cloud metadata services, localhost services, or internal networks that should be off-limits. The risk is highest in cloud environments (AWS, Azure, GCP) where metadata endpoints are readily accessible, and in corporate networks where internal services are exposed to the machine running CodeWhale.

Exploitability

The vulnerability is moderately exploitable. An attacker must craft a specially formatted URL that passes the initial SSRF check but redirects to a restricted destination. This requires some knowledge of the target environment (which services are accessible, typical redirect patterns) but does not require advanced technical sophistication. The automatic redirect following in reqwest makes exploitation straightforward once a suitable redirect chain is identified. The CVSS score of 7.4 (HIGH) reflects the network-accessible attack vector, low attack complexity, and lack of authentication requirement, though the user-interaction requirement (a user must trigger the fetch_url call) and confidentiality-only impact (no integrity or availability loss) moderate the score somewhat.

Remediation

Upgrade CodeWhale to version 0.8.22 or later. This release fixes the vulnerability by re-validating redirect targets against the SSRF blocklist before following them. Users unable to upgrade immediately should restrict network access from the CodeWhale process to internal networks and cloud metadata endpoints using firewall rules, network policies, or host-based access controls. Additionally, limit the use of CodeWhale's fetch_url tool to trusted, whitelisted destinations rather than allowing arbitrary URL fetching.

Patch guidance

Upgrade to CodeWhale 0.8.22 or later. Review your deployment's version using `codewhale --version` or equivalent. If you are running a version prior to 0.8.22, update immediately. Verify the upgrade by confirming the new version is in use and by testing that the fetch_url tool correctly rejects redirect chains to restricted addresses. For users who cannot upgrade promptly, implement network-level controls (e.g., egress filtering, VPC security groups, iptables rules) to prevent CodeWhale's process from reaching cloud metadata services or internal resources.

Detection guidance

Monitor network traffic originating from CodeWhale processes for suspicious patterns: requests to cloud metadata endpoints (169.254.169.254, equivalent Azure/GCP endpoints), requests to 127.0.0.1 or RFC 1918 ranges, or repeated HTTP 3xx redirects followed by successful data retrieval from restricted addresses. Log fetch_url requests and their resolution; look for cases where the final destination differs significantly from the initial URL. In cloud environments, enable VPC Flow Logs or equivalent network monitoring. Monitor CloudTrail or equivalent logs for unexpected credential usage that may have originated from CodeWhale metadata access.

Why prioritize this

This vulnerability merits prompt patching due to its potential to expose cloud credentials and internal data, its ease of exploitation relative to the low attack complexity, and the high business value of metadata in cloud environments. While KEV status is not yet assigned, the combination of SSRF in a networked tool, automatic redirect handling, and the ubiquity of metadata endpoints in cloud deployments makes this a credible near-term attack target. Organizations using CodeWhale in cloud environments should prioritize this update.

Risk score, explained

The CVSS 3.1 score of 7.4 (HIGH) reflects: AV:N (network-accessible), AC:L (low complexity—redirect chains are easy to construct), PR:N (no privileges required), UI:R (user interaction required—the user must trigger fetch_url), S:C (scope changed—impact extends beyond the vulnerable component to internal systems), C:H (confidentiality impact is high—metadata and internal data are exposed), I:N (integrity is not impacted), A:N (availability is not impacted). The user-interaction requirement prevents a CRITICAL score; however, in an AI agent that processes user prompts, this requirement is often easily satisfied.

Frequently asked questions

What is the SSRF vulnerability in CodeWhale?

CodeWhale's fetch_url tool is designed to block requests to sensitive internal addresses (cloud metadata, localhost, private networks) by checking the initial URL's resolved IP. However, the HTTP client automatically follows up to 5 redirects without re-checking this blocklist. An attacker can bypass the protection by supplying a URL that initially resolves to an allowed address but redirects to a restricted one, allowing unauthorized access to internal services.

How would an attacker exploit this?

An attacker would craft a URL pointing to a legitimate, attacker-controlled server that responds with an HTTP redirect to a sensitive internal service (e.g., AWS metadata at 169.254.169.254). When CodeWhale processes this URL via fetch_url, the initial check passes, but the HTTP client automatically follows the redirect to the restricted destination, retrieving sensitive data. The attacker would need to trick a CodeWhale user into executing this request, typically through a manipulated prompt or command.

What data could be exposed?

In cloud environments, the primary risk is exposure of temporary AWS, Azure, or GCP credentials stored in metadata endpoints. These credentials could allow an attacker to assume the role of the CodeWhale process and access cloud resources. In on-premises settings, attackers could access localhost services, internal APIs, databases, or configuration systems. The exact impact depends on what internal services are accessible from the CodeWhale process.

Do I need to upgrade if I don't use CodeWhale's fetch_url tool?

While the vulnerability specifically affects the fetch_url tool, you should still upgrade to 0.8.22 as a precaution and to maintain a secure baseline. If CodeWhale is used by others or in pipelines where tool usage may not be obvious, the risk remains. Additionally, future versions may enable or encourage fetch_url usage, so patching is prudent.

This analysis is provided for informational purposes to help security professionals understand and remediate CVE-2026-45310. No exploit code or weaponized proof-of-concept is provided. Verify all patch versions and vendor advisories against official CodeWhale releases. Test patches in non-production environments before deploying to production. Network and host-based detection signatures should be tuned to your environment to minimize false positives. This vulnerability requires user interaction; however, in the context of an AI agent processing arbitrary input, this requirement should not be underestimated as a mitigating factor. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).