Codeep

v2.1.3 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 12d AI Agents & Assistants

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

ai ai-agent ai-agents ai-tools cli-app

Affected surfaces

auth rce_ssrf

ReleasePort's take

Light signal

editorial:auto 12d

Hooks now require trust‑on‑first‑use before execution and the web-fetch tool blocks internal/metadata addresses.

Why it matters: These changes enforce stricter security controls; operators must configure TOFU policies for hooks and test fetch_url compliance with SSRF guard before deployment.

Summary

AI summary

Hooks now require trust‑on‑first‑use and the web-fetch tool blocks internal/metadata addresses, enhancing security.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Hooks now require trust-on-first-use before execution. Hooks now require trust-on-first-use before execution. Source: llm_adapter@2026-05-22 Confidence: high	—
Security	Medium	SSRF guard blocks internal/metadata addresses in fetch_url tool. SSRF guard blocks internal/metadata addresses in fetch_url tool. Source: llm_adapter@2026-05-22 Confidence: high	—
Feature	Medium	Stats reporting now includes x-sync-token header for user identification. Stats reporting now includes x-sync-token header for user identification. Source: llm_adapter@2026-05-22 Confidence: low	—

Full changelog

Security hardening: project hooks now require trust before they run, the web-fetch tool blocks internal/metadata addresses, and usage stats are sent with your sync token.

Security

Hooks now require trust-on-first-use. Project-local .codeep/hooks/* run
arbitrary shell, so a freshly-cloned repo could previously execute its scripts
on your first tool call. Hooks in an unapproved workspace are now skipped
until you run /hooks trust (revoke with /hooks untrust). /hooks and the
welcome banner show the trust state. Your own already-set-up projects just need
a one-time /hooks trust.
SSRF guard on the fetch_url web tool. The agent can no longer be steered
(e.g. via prompt injection) into fetching localhost, private/RFC1918, or
link-local addresses — including the cloud metadata endpoint
169.254.169.254. Only http/https are allowed, on the initial request and
redirects. Your configured provider endpoints (Ollama, custom vLLM/Tailscale)
are unaffected — they don't go through this tool.

Changed

Stats reporting now sends the x-sync-token header. The dashboard derives
your GitHub id from the token instead of trusting the githubId in the request
body, closing a spoofing gap where anyone could forge usage events (or unarchive
projects) for another user. Stats keep working on older CLIs — they're just
recorded anonymously until you upgrade. No behavior change for you locally.

Security Fixes

Hooks now require trust‑on‑first‑use before execution (prevents arbitrary code on fresh clones)
SSRF guard added to fetch_url tool blocks internal, RFC1918 and link‑local addresses including cloud metadata endpoint 169.254.169.254

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Codeep

Get notified when new releases ship.

About Codeep

All releases →

Related context

Related tools

Earlier breaking changes

v2.4.1 MiniMax M3 replaces MiniMax-M2.7 as default model across all providers.
v2.0.0 McpServer protocol now optional fields `command`, `args`, plus new `url` and `headers`; version bumped to 2.0.0.