CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22130 – Soft Serve allows path traversal attacks
https://notcve.org/view.php?id=CVE-2025-22130
08 Jan 2025 — Soft Serve is a self-hostable Git server for the command line. Prior to 0.8.2 , a path traversal attack allows existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an admin user without explicitly giving them permissions. This is patched in v0.8.2. • https://github.com/charmbracelet/soft-serve/commit/a8d1bf3f9349c138383b65079b7b8ad97fff78f4 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41956 – Soft Serve allows arbitrary code execution by crafting git-lfs requests
https://notcve.org/view.php?id=CVE-2024-41956
01 Aug 2024 — Soft Serve is a self-hostable Git server for the command line. Prior to 0.7.5, it is possible for a user who can commit files to a repository hosted by Soft Serve to execute arbitrary code via environment manipulation and Git. The issue is that Soft Serve passes all environment variables given by the client to git subprocesses. This includes environment variables that control program execution, such as LD_PRELOAD. This vulnerability is fixed in 0.7.5. • https://github.com/charmbracelet/soft-serve/commit/4daebdd422a6ba8c04162d023f8be355a8fe3184 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •