CVE-2025-22130

Soft Serve is a self-hostable Git server for the command line. Prior to 0.8.2 , a path traversal attack allows existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an admin user without explicitly giving them permissions. This is patched in v0.8.2.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/charmbracelet/soft-serve/commit/a8d1bf3f9349c138383b65079b7b8ad97fff78f4	Patch
https://github.com/charmbracelet/soft-serve/releases/tag/v0.8.2	Release Notes
https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-j4jw-m6xr-fv6c	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:charm:soft_serve:*:*:*:*:*:go:*:*

History

06 Nov 2025, 22:04

Type	Values Removed	Values Added
References	~~() https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-j4jw-m6xr-fv6c - Patch, Third Party Advisory~~	() https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-j4jw-m6xr-fv6c - Patch, Vendor Advisory

05 Sep 2025, 15:44

Type	Values Removed	Values Added
Summary		(es) Soft Serve es un servidor Git autoalojado para la línea de comandos. Antes de la versión 0.8.2, un ataque de path traversal permite a los usuarios no administradores existentes acceder y tomar el control de los repositorios de otros usuarios. Un usuario malintencionado puede modificar, eliminar y acceder a repositorios de forma arbitraria como si fuera un usuario administrador sin darles permisos explícitos. Esto se solucionó en la versión 0.8.2.
First Time		Charm Charm soft Serve
References	~~() https://github.com/charmbracelet/soft-serve/commit/a8d1bf3f9349c138383b65079b7b8ad97fff78f4 -~~	() https://github.com/charmbracelet/soft-serve/commit/a8d1bf3f9349c138383b65079b7b8ad97fff78f4 - Patch
References	~~() https://github.com/charmbracelet/soft-serve/releases/tag/v0.8.2 -~~	() https://github.com/charmbracelet/soft-serve/releases/tag/v0.8.2 - Release Notes
References	~~() https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-j4jw-m6xr-fv6c -~~	() https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-j4jw-m6xr-fv6c - Patch, Third Party Advisory
CPE		cpe:2.3:a:charm:soft_serve::::::go::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8

08 Jan 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-08 16:15

Updated : 2025-11-06 22:04

NVD link : CVE-2025-22130

Mitre link : CVE-2025-22130

CVE.ORG link : CVE-2025-22130

JSON object : View

Products Affected

charm

soft_serve

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

8.8 /10