CVE-2025-64522: Soft Serve is vulnerable to SSRF through its Webhooks
(updated )
SUMMARY
We have identified and verified an SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints.
AFFECTED COMPONENTS (VERIFIED)
- Webhook Creation (pkg/ssh/cmd/webhooks.go:125)
- Backend CreateWebhook (pkg/backend/webhooks.go:17)
- Backend UpdateWebhook (pkg/backend/webhooks.go:122)
- Webhook Delivery (pkg/webhook/webhook.go:97)
IMPACT
This vulnerability allows repository administrators to perform SSRF attacks, potentially enabling:
a) Cloud Metadata Theft - Access AWS/Azure/GCP credentials via 169.254.169.254 b) Internal Network Access - Target localhost and private networks (10.x, 192.168.x, 172.16.x) c) Port Scanning - Enumerate internal services via response codes and timing d) Data Exfiltration - Full HTTP responses stored in webhook delivery logs e) Internal API Access - Call internal admin panels and Kubernetes endpoints
PROOF OF CONCEPT
Simple example demonstrating localhost access:
ssh localhost webhook create my-repo http://127.0.0.1:8080/internal \
--events push --active
then push to trigger.
References
- github.com/advisories/GHSA-vwq2-jx9q-9h9f
- github.com/charmbracelet/soft-serve
- github.com/charmbracelet/soft-serve/commit/bb73b9a0eea0d902da4811420535842a4f9aae3b
- github.com/charmbracelet/soft-serve/releases/tag/v0.11.1
- github.com/charmbracelet/soft-serve/security/advisories/GHSA-vwq2-jx9q-9h9f
- nvd.nist.gov/vuln/detail/CVE-2025-64522
Code Behaviors & Features
Detect and mitigate CVE-2025-64522 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →