CVE-2025-64522 CRITICAL

CVE-2025-64522: Soft Serve is vulnerable to SSRF through its Webhooks

Vendor Charmbracelet
Product soft-serve
Weakness CWE-918 · SSRF
Published November 10, 2025
Last update November 12, 2025

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

What the vulnerability does

01Description

Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints. Version 0.11.1 fixes the vulnerability.

Key dates

02Disclosure timeline

November 10, 2025 CVE published
November 12, 2025 Record updated