CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.22, the fetch_url tool validates the initial URL's resolved IP address against a restricte…

CodeWhale, a DeepSeek + MiMo coding agent for terminal environments, contains an SSRF vulnerability in versions prior to 0.8.22. The fetch_url tool validates initial URLs against a restricted IP blocklist to prevent SSRF attacks on internal services, but fails to re-validate redirect targets. The HTTP client (reqwest) automatically follows up to 5 redirects without applying the same SSRF protections, allowing attackers to bypass security controls and potentially access internal services including cloud metadata endpoints, localhost, and private networks. This vulnerability has been patched in version 0.8.22.