CVE-2025-64522
published 2025-11-10CVE-2025-64522: Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated…
PriorityP344high7.6CVSS 3.1
AVNACLPRHUINSCCHILAN
EPSS
0.31%
22.3th percentile
Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints. Version 0.11.1 fixes the vulnerability.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| charm | soft_serve | < 0.11.1 | 0.11.1 |
| charmbracelet | soft-serve | < 0.11.1 | 0.11.1 |
| github.com | charmbracelet_soft-serve | >= 0 < 0.11.1 | 0.11.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Soft Serve is vulnerable to SSRF through its Webhooks in github.com/charmbracelet/soft-serve
osv·2025-11-17
CVE-2025-64522 Soft Serve is vulnerable to SSRF through its Webhooks in github.com/charmbracelet/soft-serve
Soft Serve is vulnerable to SSRF through its Webhooks in github.com/charmbracelet/soft-serve
Soft Serve is vulnerable to SSRF through its Webhooks in github.com/charmbracelet/soft-serve
OSV
Soft Serve is vulnerable to SSRF through its Webhooks
osv·2025-11-10
CVE-2025-64522 [CRITICAL] Soft Serve is vulnerable to SSRF through its Webhooks
Soft Serve is vulnerable to SSRF through its Webhooks
SUMMARY
We have identified and verified an SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints.
AFFECTED COMPONENTS (VERIFIED)
1. Webhook Creation (pkg/ssh/cmd/webhooks.go:125)
2. Backend CreateWebhook (pkg/backend/webhooks.go:17)
3. Backend UpdateWebhook (pkg/backend/webhooks.go:122)
4. Webhook Delivery (pkg/webhook/webhook.go:97)
IMPACT
This vulnerability allows repository administrators to perform SSRF attacks, potentially enabling:
a) Cloud Metadata Theft - Access AWS/Azure/GCP credentials via 169.254.169.254
b) Internal Network Access - Target localhost and private networks (10.x, 192.168.x,
GHSA
Soft Serve is vulnerable to SSRF through its Webhooks
ghsa·2025-11-10
CVE-2025-64522 [CRITICAL] CWE-918 Soft Serve is vulnerable to SSRF through its Webhooks
Soft Serve is vulnerable to SSRF through its Webhooks
SUMMARY
We have identified and verified an SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints.
AFFECTED COMPONENTS (VERIFIED)
1. Webhook Creation (pkg/ssh/cmd/webhooks.go:125)
2. Backend CreateWebhook (pkg/backend/webhooks.go:17)
3. Backend UpdateWebhook (pkg/backend/webhooks.go:122)
4. Webhook Delivery (pkg/webhook/webhook.go:97)
IMPACT
This vulnerability allows repository administrators to perform SSRF attacks, potentially enabling:
a) Cloud Metadata Theft - Access AWS/Azure/GCP credentials via 169.254.169.254
b) Internal Network Access - Target localhost and private networks (10.x, 192.168.x,
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/charmbracelet/soft-serve/commit/bb73b9a0eea0d902da4811420535842a4f9aae3bhttps://github.com/charmbracelet/soft-serve/releases/tag/v0.11.1https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-vwq2-jx9q-9h9fhttps://github.com/charmbracelet/soft-serve/security/advisories/GHSA-vwq2-jx9q-9h9f
2025-11-10
Published