CVE-2025-22130 – CVE-2025-22130 is a path traversal vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2025-22130?

CVE-2025-22130 has a CVSS score of 8.8 (HIGH). CVE-2025-22130 is a path traversal vulnerability in Soft Serve Git server that allows non-admin users to access and take over other users' repositories. Attackers can modify, delete, and control repositories as if they were admin users without proper permissions. This affects all Soft Serve instances running versions prior to 0.8.2.

📋 TL;DR

CVE-2025-22130 is a path traversal vulnerability in Soft Serve Git server that allows non-admin users to access and take over other users' repositories. Attackers can modify, delete, and control repositories as if they were admin users without proper permissions. This affects all Soft Serve instances running versions prior to 0.8.2.

💻 Affected Systems

Products:

Soft Serve

Versions: All versions prior to 0.8.2

Operating Systems: All platforms running Soft Serve

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. The vulnerability requires an existing user account but does not require admin privileges.

📦 What is this software?

Soft Serve by Charm

View all CVEs affecting Soft Serve →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all repositories, including deletion, modification, and unauthorized administrative control over the entire Git server instance.

🟠

Likely Case

Unauthorized access to sensitive repositories, data theft, code manipulation, and potential supply chain attacks through repository modifications.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent unauthorized users from reaching vulnerable instances.

🌐 Internet-Facing: HIGH - Internet-facing Soft Serve instances are directly exploitable by authenticated users.

🏢 Internal Only: HIGH - Internal instances are vulnerable to any authenticated user with malicious intent.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires an existing user account but no special privileges. The path traversal technique is well-documented in the advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.8.2

Vendor Advisory: https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-j4jw-m6xr-fv6c

Restart Required: No

Instructions:

1. Stop the Soft Serve service. 2. Update to version 0.8.2 or later using your package manager or by downloading from GitHub releases. 3. Restart the service.

🔧 Temporary Workarounds

Restrict User Access

all

Temporarily restrict access to only trusted users until patching can be completed.

# Review and remove untrusted users from Soft Serve configuration
# Consider disabling user registration temporarily

🧯 If You Can't Patch

Implement strict network access controls to limit which users can reach the Soft Serve instance
Enable detailed audit logging and monitor for unusual repository access patterns

🔍 How to Verify

Check if Vulnerable:

Check Soft Serve version. If version is less than 0.8.2, the system is vulnerable.

Check Version:

soft-serve --version

Verify Fix Applied:

Confirm version is 0.8.2 or higher and test that users cannot access repositories outside their permissions.

📡 Detection & Monitoring

Log Indicators:

Unusual repository access patterns
Users accessing repositories they don't own
Failed path traversal attempts in logs

Network Indicators:

Unusual Git operations from non-admin users
Multiple repository access attempts from single user

SIEM Query:

source="soft-serve" AND (event="repository_access" OR event="git_operation") AND user!="admin" AND repository NOT IN user_repositories

📊 Metadata

CVE ID: CVE-2025-22130

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

EPSS Score: 0.68% exploit probability (71.2th percentile)

Published: January 8, 2025

Last Updated: November 6, 2025

🔗 References

https://github.com/charmbracelet/soft-serve/commit/a8d1bf3f9349c138383b65079b7b8ad97fff78f4 Patch
https://github.com/charmbracelet/soft-serve/releases/tag/v0.8.2 Release Notes
https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-j4jw-m6xr-fv6c Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-22130, you might also want to check these: