CVE-2025-22130
Published: 08 January 2025
Description
Soft Serve is a self-hostable Git server for the command line. Prior to 0.8.2 , a path traversal attack allows existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an admin user without explicitly giving them permissions. This is patched in v0.8.2.
Security Summary
CVE-2025-22130 is a path traversal vulnerability (CWE-22) in Soft Serve, a self-hostable Git server designed for command-line use. Versions prior to 0.8.2 are affected, where the flaw enables unauthorized access to repository paths. Published on January 8, 2025, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability can be exploited by existing non-administrative users over the network with low attack complexity and no user interaction required. Attackers with low privileges can traverse paths to access, take over, modify, delete, or arbitrarily manage other users' repositories, effectively gaining administrative-like control without explicit permissions.
Mitigation is available in Soft Serve version 0.8.2, which patches the issue. Administrators should upgrade immediately. Key resources include the fixing commit at https://github.com/charmbracelet/soft-serve/commit/a8d1bf3f9349c138383b65079b7b8ad97fff78f4, release notes at https://github.com/charmbracelet/soft-serve/releases/tag/v0.8.2, and the GitHub security advisory at https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-j4jw-m6xr-fv6c.
Details
- CWE(s)