cvedb.io
CVE-2025-64522
CRITICAL · CVSS 9.1
EPSS exploitation probability: 0%
Published 2025-11-10T23:15:41.987 · Last modified 2026-06-17T09:54:31.847

Summary

Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints. Version 0.11.1 fixes the vulnerability.

Affected products

charm — soft_serve

Does this affect you?

Add your gear to cvedb and we'll alert you only when charm ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.