cbcvebase.
CVE-2025-64522
published 2025-11-10

CVE-2025-64522: Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated…

PriorityP344high7.6CVSS 3.1
AVNACLPRHUINSCCHILAN
EPSS
0.31%
22.3th percentile
Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints. Version 0.11.1 fixes the vulnerability.

Affected

3 ranges
VendorProductVersion rangeFixed in
charmsoft_serve< 0.11.10.11.1
charmbraceletsoft-serve< 0.11.10.11.1
github.comcharmbracelet_soft-serve>= 0 < 0.11.10.11.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.