47Cid

**Name of the Vulnerable Software and Affected Versions** CodeWhale versions prior to 0.8.22 **Description** The `fetch url` tool implements a check using the `is restricted ip()` function to validate the resolved IP address of an initial URL against a blocklist of restricted IPs, such as localhost, private networks, and cloud metadata endpoints, to prevent Server-Side Request Forgery (SSRF). However, the `reqwest` HTTP client is configured to follow up to 5 redirects via `reqwest::redirect::Policy::limited(5)` without re-validating the redirect targets. This allows an attacker to bypass SSRF protections by providing a public URL that redirects to a restricted internal address. On cloud-hosted instances, this could lead to the exfiltration of instance metadata and cloud IAM credentials through prompt injection. **Recommendations** Update to version 0.8.22.

**Name of the Vulnerable Software and Affected Versions** CodeWhale versions 0.3.0 through 0.8.22 **Description** The `run tests` tool executes `cargo test` in the workspace with `ApprovalRequirement::Auto`, allowing it to run without user approval. Because `cargo test` compiles and executes arbitrary code—including test binaries, `build.rs` build scripts, and proc macros—a malicious repository can execute arbitrary shell commands, exfiltrate credentials, or establish persistence. This risk is increased by the `AGENTS.md` file, which is automatically loaded into the system prompt and can be used to instruct the model to run tests proactively at the start of a session. **Recommendations** Update to version 0.8.23. As a temporary workaround, restrict the use of the `run tests` tool when working with untrusted repositories.

**Name of the Vulnerable Software and Affected Versions** CodeWhale versions prior to 0.8.26 **Description** The `task create` tool spawns durable sub-agents that inherit insecure default settings. Specifically, the `allow shell` variable defaults to `true` and the `auto approve` variable defaults to `true`. When a user approves a `task create` call, they may believe they are only approving a benign work prompt. However, the resulting sub-agent silently receives unrestricted and unapproved shell access. This allows the sub-agent to execute shell commands without further user intervention, potentially following malicious instructions embedded in project files. **Recommendations** Update to version 0.8.26.

**Name of the Vulnerable Software and Affected Versions** Fabio versions prior to 1.6.6 **Description** Fabio is an HTTP(S) and TCP router for deploying applications managed by consul. A vulnerability in how it processes hop-by-hop headers allows clients to remove X-Forwarded headers (except X-Forwarded-For). This creates potential security vulnerabilities as the receiving application should trust these headers. The attack relies on the behavior that headers can be defined as hop-by-hop via the HTTP Connection header. Some custom headers can be removed and, in certain cases, manipulated. **Recommendations** For versions prior to 1.6.6, update to version 1.6.6 to resolve the issue. As a temporary workaround, consider restricting the ability of clients to remove or modify X-Forwarded headers until the update is applied. Avoid using the `X-Forwarded-Host` and `X-Forwarded-Port` headers in sensitive operations until the issue is resolved.