SSRF Vulnerability in Soft Serve Git Server by Charmbracelet
CVE-2025-64522

9.1CRITICAL

Key Information:

Vendor

Charmbracelet

Status
Soft-serve
Vendor
CVE Published:
10 November 2025

What is CVE-2025-64522?

The Soft Serve Git server, designed for command line usage, has a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 0.11.1. This issue arises from the lack of validation for webhook URLs, potentially allowing repository administrators to create webhooks targeting internal services, private networks, or even cloud metadata endpoints. To mitigate this risk, users are advised to upgrade to version 0.11.1, which resolves this security flaw thoroughly.

Affected Version(s)

soft-serve < 0.11.1

References

https://github.com/charmbracelet/soft-serve/security/advi...
x_refsource_CONFIRM
https://github.com/charmbracelet/soft-serve/commit/bb73b9...
x_refsource_MISC
https://github.com/charmbracelet/soft-serve/releases/tag/...
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-64522 : SSRF Vulnerability in Soft Serve Git Server by Charmbracelet