Platform
go
Component
github.com/charmbracelet/soft-serve
Fixed in
0.11.2
0.11.1
CVE-2025-64522 identifies a Server-Side Request Forgery (SSRF) vulnerability within the Webhooks feature of Soft Serve, a Go-based tool. This flaw enables attackers to craft malicious requests, potentially accessing sensitive internal resources or interacting with external systems without proper authorization. The vulnerability affects versions 0.11.0 and earlier, and a fix is available in version 0.11.1.
The SSRF vulnerability in Soft Serve Webhooks poses a significant risk. An attacker could leverage this to scan internal networks, access cloud metadata services (potentially revealing credentials), or even interact with internal APIs. Successful exploitation could lead to unauthorized data exfiltration, modification of internal systems, or even complete compromise of the affected server. The impact is amplified if the Webhooks feature is configured to interact with sensitive internal services or external APIs containing authentication tokens.
CVE-2025-64522 was publicly disclosed on 2025-11-17. The vulnerability's SSRF nature makes it potentially attractive to attackers seeking to map internal networks or access sensitive data. There are currently no known public exploits or active campaigns targeting this vulnerability, but the ease of SSRF exploitation suggests a moderate risk of future exploitation. The vulnerability has not been added to the CISA KEV catalog at the time of this writing.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-64522 is to immediately upgrade Soft Serve to version 0.11.1 or later. If upgrading is not immediately feasible, consider implementing strict input validation on the webhook URLs to prevent attackers from crafting malicious requests. Additionally, restrict network access to the Soft Serve instance using firewall rules, allowing only necessary outbound connections. Review and audit existing webhook configurations to identify and remove any potentially vulnerable settings. After upgrade, confirm by verifying the version number using go version within the Soft Serve environment.
Actualice soft-serve a la versión 0.11.1 o superior. Esta versión corrige la vulnerabilidad SSRF al validar correctamente las URLs de los webhooks. La actualización evitará que atacantes puedan acceder a servicios internos o endpoints privados a través de webhooks maliciosos.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-64522 is a critical SSRF vulnerability affecting Soft Serve Webhooks versions 0.11.0 and below, allowing attackers to initiate unauthorized requests.
If you are using Soft Serve Webhooks version 0.11.0 or earlier, you are potentially affected by this SSRF vulnerability.
Upgrade Soft Serve Webhooks to version 0.11.1 or later to resolve the SSRF vulnerability. Implement input validation and restrict network access as temporary workarounds.
There are currently no known public exploits or active campaigns targeting CVE-2025-64522, but the SSRF nature suggests a potential risk.
Refer to the official Soft Serve project repository and release notes for the advisory and detailed mitigation instructions.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.