Publish GHSA-vwq2-jx9q-9h9f

advisory-database[bot] · advisory-database[bot] · commit b6cd98c9a5fa · 2025-11-10T21:36:44.000Z
diff --git a/advisories/github-reviewed/2025/11/GHSA-vwq2-jx9q-9h9f/GHSA-vwq2-jx9q-9h9f.json b/advisories/github-reviewed/2025/11/GHSA-vwq2-jx9q-9h9f/GHSA-vwq2-jx9q-9h9f.json
@@ -0,0 +1,68 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-vwq2-jx9q-9h9f",
+  "modified": "2025-11-10T21:34:45Z",
+  "published": "2025-11-10T21:34:44Z",
+  "aliases": [
+    "CVE-2025-64522"
+  ],
+  "summary": "Soft Serve is vulnerable to SSRF through its Webhooks",
+  "details": "SUMMARY\n\nWe have identified and verified an SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints.\n\n\nAFFECTED COMPONENTS (VERIFIED)\n\n1. Webhook Creation (pkg/ssh/cmd/webhooks.go:125)\n2. Backend CreateWebhook (pkg/backend/webhooks.go:17)\n3. Backend UpdateWebhook (pkg/backend/webhooks.go:122)\n4. Webhook Delivery (pkg/webhook/webhook.go:97)\n\nIMPACT\n\nThis vulnerability allows repository administrators to perform SSRF attacks, potentially enabling:\n\na) Cloud Metadata Theft - Access AWS/Azure/GCP credentials via 169.254.169.254\nb) Internal Network Access - Target localhost and private networks (10.x, 192.168.x, 172.16.x)\nc) Port Scanning - Enumerate internal services via response codes and timing\nd) Data Exfiltration - Full HTTP responses stored in webhook delivery logs\ne) Internal API Access - Call internal admin panels and Kubernetes endpoints\n\nPROOF OF CONCEPT\n\nSimple example demonstrating localhost access:\n\n```sh\nssh localhost webhook create my-repo http://127.0.0.1:8080/internal \\\n    --events push --active\n```\n\nthen push to trigger.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/charmbracelet/soft-serve"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.11.1"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 0.11.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-vwq2-jx9q-9h9f"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/charmbracelet/soft-serve/commit/bb73b9a0eea0d902da4811420535842a4f9aae3b"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/charmbracelet/soft-serve"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-10T21:34:44Z",
+    "nvd_published_at": null
+  }
+}
