ghsa-vwq2-jx9q-9h9f
Vulnerability from github
Published
2025-11-10 21:34
Modified
2025-11-15 02:51
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
Summary
Soft Serve is vulnerable to SSRF through its Webhooks
Details

SUMMARY

We have identified and verified an SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints.

AFFECTED COMPONENTS (VERIFIED)

  1. Webhook Creation (pkg/ssh/cmd/webhooks.go:125)
  2. Backend CreateWebhook (pkg/backend/webhooks.go:17)
  3. Backend UpdateWebhook (pkg/backend/webhooks.go:122)
  4. Webhook Delivery (pkg/webhook/webhook.go:97)

IMPACT

This vulnerability allows repository administrators to perform SSRF attacks, potentially enabling:

a) Cloud Metadata Theft - Access AWS/Azure/GCP credentials via 169.254.169.254 b) Internal Network Access - Target localhost and private networks (10.x, 192.168.x, 172.16.x) c) Port Scanning - Enumerate internal services via response codes and timing d) Data Exfiltration - Full HTTP responses stored in webhook delivery logs e) Internal API Access - Call internal admin panels and Kubernetes endpoints

PROOF OF CONCEPT

Simple example demonstrating localhost access:

sh ssh localhost webhook create my-repo http://127.0.0.1:8080/internal \ --events push --active

then push to trigger.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/charmbracelet/soft-serve"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64522"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-10T21:34:44Z",
    "nvd_published_at": "2025-11-10T23:15:41Z",
    "severity": "CRITICAL"
  },
  "details": "SUMMARY\n\nWe have identified and verified an SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints.\n\n\nAFFECTED COMPONENTS (VERIFIED)\n\n1. Webhook Creation (pkg/ssh/cmd/webhooks.go:125)\n2. Backend CreateWebhook (pkg/backend/webhooks.go:17)\n3. Backend UpdateWebhook (pkg/backend/webhooks.go:122)\n4. Webhook Delivery (pkg/webhook/webhook.go:97)\n\nIMPACT\n\nThis vulnerability allows repository administrators to perform SSRF attacks, potentially enabling:\n\na) Cloud Metadata Theft - Access AWS/Azure/GCP credentials via 169.254.169.254\nb) Internal Network Access - Target localhost and private networks (10.x, 192.168.x, 172.16.x)\nc) Port Scanning - Enumerate internal services via response codes and timing\nd) Data Exfiltration - Full HTTP responses stored in webhook delivery logs\ne) Internal API Access - Call internal admin panels and Kubernetes endpoints\n\nPROOF OF CONCEPT\n\nSimple example demonstrating localhost access:\n\n```sh\nssh localhost webhook create my-repo http://127.0.0.1:8080/internal \\\n    --events push --active\n```\n\nthen push to trigger.",
  "id": "GHSA-vwq2-jx9q-9h9f",
  "modified": "2025-11-15T02:51:46Z",
  "published": "2025-11-10T21:34:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-vwq2-jx9q-9h9f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64522"
    },
    {
      "type": "WEB",
      "url": "https://github.com/charmbracelet/soft-serve/commit/bb73b9a0eea0d902da4811420535842a4f9aae3b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/charmbracelet/soft-serve"
    },
    {
      "type": "WEB",
      "url": "https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Soft Serve is vulnerable to SSRF through its Webhooks"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.