CVE-2022-29180 MEDIUM

CVE-2022-29180: Charm vulnerable to server-side request forgery (SSRF)

Vendor Charmbracelet
Product charm
Weakness CWE-918 · SSRF
Published May 7, 2022
Last update April 23, 2025
View on NVD All CVEs

CVSS base score

5.9/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

A vulnerability in which attackers could forge HTTP requests to manipulate the `charm` data directory to access or delete anything on the server. This has been patched and is available in release [v0.12.1](https://github.com/charmbracelet/charm/releases/tag/v0.12.1). We recommend that all users running self-hosted `charm` instances update immediately. This vulnerability was found in-house and we haven't been notified of any potential exploiters. ### Additional notes * Encrypted user data uploaded to the Charm server is safe as Charm servers cannot decrypt user data. This includes filenames, paths, and all key-value data. * Users running the official Charm [Docker images](https://github.com/charmbracelet/charm/blob/main/docker.md) are at minimal risk because the exploit is limited to the containerized filesystem.

Key dates

02Disclosure timeline

May 7, 2022 CVE published
April 23, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-0584 aEnrich Technology a+HRD - Server-Side Request Forgery (SSRF) CVE-2024-35637 WordPress Church Admin plugin <= 4.3.6 - Server Side Request Forgery (SSRF) vulnerability CVE-2026-25494 Craft has a SSRF in GraphQL Asset Mutation via Alternative IP Notation CVE-2025-71259 BMC FootPrints ITSM 20.20.02 <= 20.24.01.001 Blind SSRF in externalfeed/RSS CVE-2026-45061 Budibase: SSRF via trivial `.tar.gz` substring bypass in Plugin URL upload (`/api/plugin`)