High severity7.4GHSA Advisory· Published May 28, 2026· Updated May 30, 2026
CVE-2026-45310
CVE-2026-45310
Description
CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.22, the fetch_url tool validates the initial URL's resolved IP address against a restricted-IP blocklist (is_restricted_ip()) to prevent SSRF attacks against internal services (cloud metadata endpoints, localhost, private networks). However, the HTTP client (reqwest) is configured to automatically follow up to 5 redirects (reqwest::redirect::Policy::limited(5)) without re-validating the redirect target against the same SSRF protections. This vulnerability is fixed in 0.8.22.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
deepseek-tuicrates.io | < 0.8.22 | 0.8.22 |
deepseek-tui-clicrates.io | < 0.8.22 | 0.8.22 |
deepseek-tuinpm | < 0.8.22 | 0.8.22 |
Affected products
4- Range: < 0.8.22
- ghsa-coords3 versions
< 0.8.22+ 2 more
- (no CPE)range: < 0.8.22
- (no CPE)range: < 0.8.22
- (no CPE)range: < 0.8.22
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-96ff-gc8g-wpvgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-45310ghsaADVISORY
- github.com/Hmbown/CodeWhale/security/advisories/GHSA-96ff-gc8g-wpvgnvdWEB
- github.com/Hmbown/DeepSeek-TUI/releases/tag/v0.8.22nvdWEB
- github.com/Hmbown/DeepSeek-TUI/security/advisories/GHSA-96ff-gc8g-wpvgghsaWEB
News mentions
0No linked articles in our index yet.