Vulnerability Description
Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints. Version 0.11.1 fixes the vulnerability.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Charm | Soft Serve | < 0.11.1 |
Related Weaknesses (CWE)
References
- https://github.com/charmbracelet/soft-serve/commit/bb73b9a0eea0d902da48114205358Patch
- https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.1Release Notes
- https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-vwq2-jx9q-9ExploitVendor Advisory
- https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-vwq2-jx9q-9ExploitVendor Advisory
FAQ
What is CVE-2025-64522?
CVE-2025-64522 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create web...
How severe is CVE-2025-64522?
CVE-2025-64522 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-64522?
Check the references section above for vendor advisories and patch information. Affected products include: Charm Soft Serve.