CVE-2025-64522 – Soft Serve versions before 0.11.1 have a server... (How to Fix)

Q: What is the severity of CVE-2025-64522?

CVE-2025-64522 has a CVSS score of 9.1 (CRITICAL). Soft Serve versions before 0.11.1 have a server-side request forgery (SSRF) vulnerability where repository administrators can create webhooks that target internal services, private networks, and cloud metadata endpoints without proper URL validation. This allows attackers to probe internal infrastructure and potentially access sensitive data. All instances running vulnerable versions are affected.

📋 TL;DR

Soft Serve versions before 0.11.1 have a server-side request forgery (SSRF) vulnerability where repository administrators can create webhooks that target internal services, private networks, and cloud metadata endpoints without proper URL validation. This allows attackers to probe internal infrastructure and potentially access sensitive data. All instances running vulnerable versions are affected.

💻 Affected Systems

Products:

Soft Serve

Versions: All versions prior to 0.11.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires repository administrator privileges to exploit. All deployments with webhook functionality enabled are vulnerable.

📦 What is this software?

Soft Serve by Charm

View all CVEs affecting Soft Serve →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access cloud metadata endpoints to obtain credentials, pivot to internal services, exfiltrate sensitive data, or perform lateral movement within the network.

🟠

Likely Case

Repository administrators could probe internal services, access internal APIs, or retrieve cloud metadata containing temporary credentials.

🟢

If Mitigated

With proper network segmentation and egress filtering, impact would be limited to internal service discovery and potential denial of service.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires repository administrator access. SSRF attacks are well-documented and easy to weaponize once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.11.1

Vendor Advisory: https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-vwq2-jx9q-9h9f

Restart Required: Yes

Instructions:

1. Stop the Soft Serve service. 2. Update to version 0.11.1 or later. 3. Restart the service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable webhook functionality

all

Temporarily disable webhook creation and execution until patching is possible

# Modify Soft Serve configuration to disable webhooks
# Check documentation for specific configuration options

Network egress filtering

linux

Implement firewall rules to restrict outbound connections from Soft Serve instances

# Example iptables rule to block internal network access
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate Soft Serve instances from sensitive internal networks
Review and audit all existing webhook configurations for suspicious URLs targeting internal services

🔍 How to Verify

Check if Vulnerable:

Check Soft Serve version. If version is less than 0.11.1, the instance is vulnerable.

Check Version:

soft-serve --version

Verify Fix Applied:

Verify the version is 0.11.1 or later and test webhook creation with internal URLs to ensure they are rejected.

📡 Detection & Monitoring

Log Indicators:

Webhook creation events with unusual URLs
Outbound HTTP requests from Soft Serve to internal IP ranges
Failed webhook delivery attempts to internal addresses

Network Indicators:

HTTP requests from Soft Serve instances to internal services or cloud metadata endpoints
Unusual outbound traffic patterns from Git servers

SIEM Query:

source="soft-serve" AND (url="169.254.169.254" OR url="metadata.google.internal" OR url CONTAINS "10." OR url CONTAINS "172." OR url CONTAINS "192.168.")

📊 Metadata

CVE ID: CVE-2025-64522

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

CWE: CWE-918

EPSS Score: 0.05% exploit probability (14.4th percentile)

Published: November 10, 2025

Last Updated: December 31, 2025

🔗 References

https://github.com/charmbracelet/soft-serve/commit/bb73b9a0eea0d902da4811420535842a4f9aae3b Patch
https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.1 Release Notes
https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-vwq2-jx9q-9h9f Exploit,Vendor Advisory
https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-vwq2-jx9q-9h9f Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64522, you might also want to check these: