A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in the Soft Serve Git server. This flaw allows authenticated repository administrators to force the server to make unauthorized requests to internal network resources by creating malicious webhooks. Successful exploitation could lead to internal network scanning, data exfiltration, and unauthorized access to other internal systems.

The vulnerability exists within the webhook functionality of the Soft Serve Git server. The application fails to properly validate user-supplied URLs for webhooks. An authenticated attacker with repository administrator privileges can configure a webhook to point to an internal IP address or a sensitive cloud metadata endpoint (e.g., http://127.0.0.1:8080, http://169.254.169.254). When an event triggers the webhook (such as a code push), the Soft Serve server will send a request to the malicious URL, allowing the attacker to interact with services on the server's local network that would otherwise be inaccessible.

This vulnerability is rated as critical severity with a CVSS score of 9.1. Exploitation can severely compromise the confidentiality and integrity of an organization's internal network. An attacker could leverage this SSRF flaw to scan internal networks, access sensitive internal services like databases or administrative panels, and exfiltrate credentials from cloud provider metadata services. This access could serve as a pivot point for lateral movement, leading to a more significant breach of the entire corporate network.

Immediate Action: Immediately upgrade all instances of Soft Serve to version 0.11.1 or a later patched version. After updating, review all existing webhook configurations to identify and remove any URLs that point to internal or suspicious endpoints.

Proactive Monitoring: Implement monitoring on the server hosting Soft Serve. Specifically, monitor for outbound network connections originating from the Soft Serve process, paying close attention to requests targeting internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or cloud metadata endpoints. Review application logs for the creation or modification of webhooks with unusual URL schemes or destinations.

Compensating Controls: If immediate patching is not feasible, implement strict egress filtering rules via a host-based or network firewall. Block the Soft Serve server from initiating connections to internal network segments and known cloud metadata IP addresses. If the webhook feature is not in use, consider disabling it entirely as a temporary mitigation measure.

Public Exploit Available: false

Given the critical CVSS score of 9.1, this vulnerability requires immediate attention. Organizations must prioritize applying the patch to upgrade all Soft Serve instances to a secure version (0.11.1 or later). Although this vulnerability is not currently listed on the CISA KEV catalog, its potential for enabling network pivoting and data exfiltration presents a severe risk. We strongly recommend a proactive approach to patching and monitoring to prevent potential exploitation.