CVE-2025-64522

EUVD-2025-50811
Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints. Version 0.11.1 fixes the vulnerability.
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.1 CRITICAL
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
GitHub_MCNA
9.1 CRITICAL
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 14%
Affected Products (NVD)
VendorProductVersion
charmsoft_serve
𝑥
< 0.11.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/charmbracelet/soft-serve/commit/bb73b9a0eea0d902da4811420535842a4f9aae3b
https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.1
https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-vwq2-jx9q-9h9f
https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-vwq2-jx9q-9h9f