A critical security vulnerability in Soft Serve, a widely used self-hostable Git server, could allow attackers to gain unauthorized access to internal network resources, exposing sensitive data and systems. Identified as CVE-2025-64522, the flaw affects all versions of Soft Serve prior to 0.11.1.
The vulnerability is a Server-Side Request Forgery (SSRF) that arises from inadequate validation of webhook URLs. This oversight enables repository administrators to craft malicious webhooks, essentially tricking the Git server into making requests to internal systems that are typically isolated from the public internet. By manipulating these webhooks, an attacker can force the server to connect to arbitrary internal domains.
Such an attack can have severe consequences, rated as “CRITICAL” with a CVSS 3.1 score. Successful exploitation could allow access to a range of sensitive internal resources, including cloud server metadata (like AWS metadata often found at `http://169.254.169.254/`), internal HTTP-enabled databases that may lack external authentication, or even local files using `file://` URIs. This level of access could lead to significant data breaches, privilege escalation, or even a complete compromise of the affected system, depending on the internal services exposed. For more on critical flaws, read about a Critical Flaw in Combodo iTop.
Developers have addressed this critical flaw in Soft Serve version 0.11.1. The update introduces robust validation for webhook URLs, effectively preventing the malicious redirection of server-side requests.
Organizations and users managing self-hosted Soft Serve instances are strongly advised to update their installations to version 0.11.1 immediately. Proactive software updates and diligent attention to validation mechanisms are crucial steps to protect internal networks from exploitation by vulnerabilities such as this SSRF flaw.