CVE-2025-22130 MEDIUM

CVE-2025-22130: Soft Serve allows path traversal attacks

Vendor Charmbracelet
Product soft-serve
Weakness CWE-22 · Path traversal
Published January 8, 2025
Last update January 8, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Soft Serve is a self-hostable Git server for the command line. Prior to 0.8.2 , a path traversal attack allows existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an admin user without explicitly giving them permissions. This is patched in v0.8.2.

Key dates

02Disclosure timeline

January 8, 2025 CVE published
January 8, 2025 Record updated