Soft Serve Git Server SSRF Vulnerability in Webhook URLs

A server-side request forgery (SSRF) vulnerability has been identified in Soft Serve, a self-hostable Git server, in versions prior to 0.11.1. The vulnerability arises because webhook URLs are not properly validated, allowing repository administrators to create webhooks that target internal services, private networks, and cloud metadata endpoints. This could lead to unauthorized access to sensitive information or services.

Impact

Exploitation of this vulnerability allows repository administrators to create webhooks that access internal services, private networks, and cloud metadata endpoints, potentially leading to unauthorized data access or manipulation.

Reproduction

To reproduce this vulnerability, create a webhook in a repository using a URL that points to a private network address, such as localhost or a cloud metadata service. The webhook creation will succeed, demonstrating the lack of URL validation. Afterward, push a commit to the repository to trigger the webhook and access the internal service or metadata.

Remediation

Users can update to Soft Serve version 0.11.1 or later, where this vulnerability has been patched.