CVE-2025-64522

Published: Nov 10, 2025Modified: Dec 31, 2025

7.6

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N

Exploitability: 2.3 / Impact: 4.7

Source: NVD

Description

Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints. Version 0.11.1 fixes the vulnerability.

Affected (1)

Products: Charm: Soft Serve

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Charm Soft Serve	Before 0.11.1

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (4)

https://github.com/charmbracelet/soft-serve/commit/bb73b9a0eea0d902da4811420535842a4f9aae3b

Source: security-advisories@github.com

Patch

https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.1

Source: security-advisories@github.com

Release Notes

https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-vwq2-jx9q-9h9f

Source: security-advisories@github.com

ExploitVendor Advisory

https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-vwq2-jx9q-9h9f

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitVendor Advisory

Timeline

No history available yet.