CodeWhale versions before 0.8.26 contain an SSRF vulnerability (CWE-918) where the SSRF defenses that validate hostnames resolving to private IPv6 addresses can be bypassed by specifying the IPv6 address directly in URL format (http://[::1]). This allows attackers to potentially make unauthorized internal network requests via the vulnerable server. The vulnerability is fixed in version 0.8.26. The CVSS 3.1 base score is 7.4, reflecting a network attack vector with low attack complexity, no privileges required, but requiring user interaction, and impacts confidentiality with no impact on integrity or availability.

An attacker can exploit this SSRF vulnerability to make the vulnerable server send unauthorized requests to internal IPv6 addresses, potentially exposing sensitive information or accessing internal services. The impact is limited to confidentiality loss; integrity and availability are not affected according to the CVSS vector. No known active exploitation has been reported.

Upgrade CodeWhale to version 0.8.26 or later, where this SSRF vulnerability is fixed. Since no official vendor advisory or patch link is provided, users should verify the update availability from the vendor or trusted sources. Patch status is not yet confirmed by vendor advisory; check the vendor for current remediation guidance.