9.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-64522

CVE-2025-64522: Soft Serve is vulnerable to SSRF through its Webhooks

Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints. Version 0.11.1 fixes the vulnerability.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-64522

CVE-2025-64522:

9.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/charmbracelet/soft-serve	go	< 0.11.0	0.11.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a Server-Side Request Forgery (SSRF) in the webhook functionality of Soft Serve. The root cause is the lack of URL validation when creating or updating webhooks. Repository administrators could specify webhook URLs pointing to internal network addresses, cloud metadata endpoints, or other sensitive locations.

The analysis of the patch commit bb73b9a0eea0d902da4811420535842a4f9aae3b confirms this. The changes introduce validation logic to prevent this.

pkg/backend/webhooks.go: The functions CreateWebhook and UpdateWebhook were modified to include a call to the new webhook.ValidateWebhookURL function. Before this change, these functions accepted any URL provided by the user and persisted it, making them the entry point for the vulnerability.
pkg/webhook/webhook.go: The do function, which is responsible for dispatching the webhook, was changed to use a new secureHTTPClient. This client has a custom dialer that explicitly blocks connections to private and reserved IP addresses. The original code used http.DefaultClient, which has no such restrictions, and was the function that actually executed the forged request.

Therefore, the vulnerable functions are backend.CreateWebhook and backend.UpdateWebhook for accepting the malicious input, and webhook.do for executing the outbound request to the malicious URL.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-64522: Soft Serve is vulnerable to SSRF through its Webhooks

CVE-2025-64522:

9.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

CVE-2025-64522: Soft Serve is vulnerable to SSRF through its Webhooks

9.1

9.1

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI