CVE-2024-41956 HIGH

CVE-2024-41956: Soft Serve allows arbitrary code execution by crafting git-lfs requests

Vendor Charmbracelet
Product soft-serve
Weakness CWE-78
Published August 1, 2024
Last update August 2, 2024

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Soft Serve is a self-hostable Git server for the command line. Prior to 0.7.5, it is possible for a user who can commit files to a repository hosted by Soft Serve to execute arbitrary code via environment manipulation and Git. The issue is that Soft Serve passes all environment variables given by the client to git subprocesses. This includes environment variables that control program execution, such as LD_PRELOAD. This vulnerability is fixed in 0.7.5.

Key dates

02Disclosure timeline

August 1, 2024 CVE published
August 2, 2024 Record updated