CVE-2025-58355
📋 TL;DR
Soft Serve versions 0.9.1 and below contain a path traversal vulnerability (CWE-22) in the SSH API that allows attackers to create or overwrite arbitrary files with uncontrolled data. This affects all deployments running vulnerable versions of this self-hostable Git server. Attackers could potentially compromise server integrity or execute arbitrary code.
💻 Affected Systems
- Soft Serve
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through arbitrary file write leading to remote code execution, data destruction, or persistent backdoor installation.
Likely Case
Unauthorized file creation/modification leading to service disruption, data corruption, or privilege escalation.
If Mitigated
Limited impact if proper network segmentation and access controls prevent unauthorized SSH access.
🎯 Exploit Status
Exploitation requires SSH access to the Soft Serve instance but no authentication to the service itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.10.0
Vendor Advisory: https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-33pr-m977-5w97
Restart Required: Yes
Instructions:
1. Stop Soft Serve service. 2. Update to version 0.10.0 via package manager or manual installation. 3. Restart the service.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict SSH access to Soft Serve to trusted IP addresses only.
Use firewall rules (e.g., iptables, nftables) to limit SSH port access
Disable SSH API
allTemporarily disable SSH access if not required.
Stop Soft Serve service or block SSH port in configuration
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Soft Serve from untrusted networks
- Monitor SSH logs for unusual file creation patterns and implement file integrity monitoring
🔍 How to Verify
Check if Vulnerable:
Check Soft Serve version: if version <= 0.9.1, system is vulnerable.Check Version:
soft-serve --versionVerify Fix Applied:
Confirm version is 0.10.0 or higher and test SSH API functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual SSH connections to Soft Serve
- File creation/modification in unexpected locations via SSH
Network Indicators:
- SSH traffic to Soft Serve from unauthorized sources
- Unusual file transfer patterns over SSH
SIEM Query:
source="soft-serve" AND (event="file_write" OR event="ssh_connection") AND path CONTAINS ".."