CVE-2025-64522

Name of the Vulnerable Software and Affected Versions Soft Serve versions prior to 0.11.1

Description Soft Serve, a self-hostable Git server, contains a Server-Side Request Forgery (SSRF) issue. The application does not validate webhook URLs, which allows repository administrators to create webhooks that target internal services, private networks, and cloud metadata endpoints. This can lead to cloud metadata theft, internal network access, port scanning, data exfiltration, and internal API access. The vulnerable components include Webhook Creation (pkg/ssh/cmd/webhooks.go:125), Backend CreateWebhook (pkg/backend/webhooks.go:17), Backend UpdateWebhook (pkg/backend/webhooks.go:122), and Webhook Delivery (pkg/webhook/webhook.go:97). An example of exploitation involves creating a webhook that accesses http://127.0.0.1:8080/internal using the webhook create command.

Recommendations Versions prior to 0.11.1 should be updated to version 0.11.1 or later.