平台
go
组件
github.com/charmbracelet/soft-serve
修复版本
0.11.2
0.11.1
CVE-2025-64522 identifies a Server-Side Request Forgery (SSRF) vulnerability within the Webhooks feature of Soft Serve, a Go-based tool. This flaw enables attackers to craft malicious requests, potentially accessing sensitive internal resources or interacting with external systems without proper authorization. The vulnerability affects versions 0.11.0 and earlier, and a fix is available in version 0.11.1.
The SSRF vulnerability in Soft Serve Webhooks poses a significant risk. An attacker could leverage this to scan internal networks, access cloud metadata services (potentially revealing credentials), or even interact with internal APIs. Successful exploitation could lead to unauthorized data exfiltration, modification of internal systems, or even complete compromise of the affected server. The impact is amplified if the Webhooks feature is configured to interact with sensitive internal services or external APIs containing authentication tokens.
CVE-2025-64522 was publicly disclosed on 2025-11-17. The vulnerability's SSRF nature makes it potentially attractive to attackers seeking to map internal networks or access sensitive data. There are currently no known public exploits or active campaigns targeting this vulnerability, but the ease of SSRF exploitation suggests a moderate risk of future exploitation. The vulnerability has not been added to the CISA KEV catalog at the time of this writing.
Organizations utilizing Soft Serve Webhooks in their CI/CD pipelines or other automated workflows are at risk. Specifically, deployments where Webhooks interact with internal APIs or cloud metadata services are particularly vulnerable. Shared hosting environments where Soft Serve is installed alongside other applications should also be considered at higher risk.
• go: Inspect Soft Serve configuration files for webhook URLs containing suspicious or unexpected domains.
grep -r 'webhook_url' /etc/soft-serve/*• generic web: Monitor access logs for unusual outbound requests originating from the Soft Serve instance. Look for requests to internal IP addresses or unexpected external domains.
curl -v <soft_serve_instance_url>/webhooks | grep -i 'Host:'• generic web: Check for exposed webhook endpoints that could be exploited.
curl -I <soft_serve_instance_url>/webhooksdisclosure
漏洞利用状态
EPSS
0.06% (18% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-64522 is to immediately upgrade Soft Serve to version 0.11.1 or later. If upgrading is not immediately feasible, consider implementing strict input validation on the webhook URLs to prevent attackers from crafting malicious requests. Additionally, restrict network access to the Soft Serve instance using firewall rules, allowing only necessary outbound connections. Review and audit existing webhook configurations to identify and remove any potentially vulnerable settings. After upgrade, confirm by verifying the version number using go version within the Soft Serve environment.
将 soft-serve 更新到 0.11.1 或更高版本。此版本通过正确验证 Webhook URL 来修复 SSRF 漏洞。更新将防止攻击者通过恶意 Webhook 访问内部服务或私有端点。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-64522 is a critical SSRF vulnerability affecting Soft Serve Webhooks versions 0.11.0 and below, allowing attackers to initiate unauthorized requests.
If you are using Soft Serve Webhooks version 0.11.0 or earlier, you are potentially affected by this SSRF vulnerability.
Upgrade Soft Serve Webhooks to version 0.11.1 or later to resolve the SSRF vulnerability. Implement input validation and restrict network access as temporary workarounds.
There are currently no known public exploits or active campaigns targeting CVE-2025-64522, but the SSRF nature suggests a potential risk.
Refer to the official Soft Serve project repository and release notes for the advisory and detailed mitigation instructions.
上传你的 go.mod 文件,立即知道是否受影响。