CVE-2026-45373
high
CVSS v3
7.4
CVSS v4 NEW
β
VIR risk
7.4
Description
CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, although SSRF is validated against hostnames that resolve to private IPv6 addresses, when providing the IPV6 inββ URLβ as http://[::1], the SSRF defenses do not work. This vulnerability is fixed in 0.8.26.
Predictions
Exploit likelihood
82%
Patch ETA
β
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or β if you've already worked around this in production β publish your fix to the community-verified tier.
β Propose a mitigation on Community β Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| crates.io | deepseek-tui | <0.8.26 | 0.8.26 |
| RUST | deepseek-tui | < 0.8.26 | 0.8.26 |
References
- https://github.com/Hmbown/DeepSeek-TUI/security/advisories/GHSA-88gh-2526-gfrr
- https://github.com/Hmbown/DeepSeek-TUI
- https://github.com/Hmbown/DeepSeek-TUI/releases/tag/v0.8.26
- https://github.com/advisories/GHSA-88gh-2526-gfrr
- https://github.com/Hmbown/CodeWhale/security/advisories/GHSA-88gh-2526-gfrr
- https://github.com/Hmbown/DeepSeek-TUI/blob/15f62e3e93d842f30b428877819ebc1c8cb96814/crates/tui/src/tools/fetch_url.rs#L321
CWEs
CWE-918
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.