Home > Vulnerability Database > CVE-2025-64522

Mend.io Vulnerability Database

CVE-2025-64522

Good to know:

Date: November 10, 2025

Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints. Version 0.11.1 fixes the vulnerability.

Severity Score

9.1

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-64522

Url: https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.1

Url: https://github.com/charmbracelet/soft-serve/commit/bb73b9a0eea0d902da4811420535842a4f9aae3b

Url: https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-vwq2-jx9q-9h9f

Url: https://github.com/charmbracelet/soft-serve

Url: https://www.mend.io/vulnerability-database/CVE-2025-64522

Severity Score

9.1

Weakness Type (CWE)

Server-Side Request Forgery (SSRF)

CWE-918

Top Fix

Upgrade Version

Upgrade to version github.com/charmbracelet/soft-serve - v0.11.1

Learn More

CVSS v3.1

Base Score:	9.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2025-64522

Good to know:

Date: November 10, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?