The vulnerability CVE-2025-64522 affects charmbracelet's soft-serve, a self-hosted Git server used primarily via command line. Versions prior to 0.11.1 do not properly validate webhook URLs configured by repository administrators. This flaw enables an attacker with repository admin privileges to craft webhooks that perform Server-Side Request Forgery (SSRF) attacks. SSRF allows the attacker to make the server send HTTP requests to arbitrary internal or external resources, including private network services and cloud provider metadata endpoints, which often contain sensitive information such as credentials or configuration data. The vulnerability is classified under CWE-918 (SSRF). The CVSS v3.1 score is 9.1 (critical), reflecting network attack vector, low attack complexity, required privileges (PR:L), no user interaction, and a scope change with high confidentiality impact, low integrity impact, and low availability impact. No known exploits are currently reported in the wild, but the potential impact is severe. The issue is resolved in soft-serve version 0.11.1 by implementing proper validation of webhook URLs to prevent SSRF. Organizations running vulnerable versions should prioritize patching to prevent unauthorized internal network access and data leakage.

For European organizations, the SSRF vulnerability poses significant risks to confidentiality by potentially exposing internal services and cloud metadata endpoints that may contain sensitive credentials or configuration data. This can lead to unauthorized access to internal resources, lateral movement within networks, and compromise of cloud infrastructure. Integrity impact is lower but still present due to possible manipulation of internal services via forged requests. Availability impact is minimal but could occur if internal services are overwhelmed by SSRF requests. Organizations using soft-serve in development, CI/CD pipelines, or internal Git hosting environments are at risk, especially if repository admin accounts are compromised or misused. The vulnerability could facilitate espionage, data breaches, or cloud account takeover, which are critical concerns under European data protection regulations such as GDPR. The lack of required user interaction simplifies exploitation once admin privileges are obtained, increasing the threat level.

European organizations should immediately upgrade all instances of charmbracelet soft-serve to version 0.11.1 or later, which contains the fix for this SSRF vulnerability. Until upgrading is possible, restrict repository administrator privileges to trusted personnel only and audit existing webhook configurations for suspicious or unexpected URLs targeting internal or cloud metadata endpoints. Implement network segmentation and firewall rules to limit the Git server's ability to reach sensitive internal services and cloud metadata IP ranges (e.g., 169.254.169.254 for AWS). Monitor logs for unusual outbound requests originating from the soft-serve server. Employ intrusion detection systems to detect SSRF patterns. Additionally, enforce multi-factor authentication and strong access controls on repository admin accounts to reduce the risk of privilege misuse. Regularly review and update security policies related to self-hosted development tools. Consider deploying web application firewalls (WAFs) with SSRF detection capabilities as an additional layer of defense.