Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qNGp3LW02eHItZnY2Y84ABDGD
Soft Serve vulnerable to path traversal attacks
Impact
Path traversal attack gives access to existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an admin user without explicitly giving them permissions.
Patches
This is patched in v0.8.2
Workarounds
Single user set-ups are not affected. This only affects multi-user Soft Serve set-ups that enable repository creation for users. Otherwise, upgrading is necessary to circumvent the attack.
Permalink: https://github.com/advisories/GHSA-j4jw-m6xr-fv6cJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qNGp3LW02eHItZnY2Y84ABDGD
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 9 days ago
Updated: 9 days ago
EPSS Percentage: 0.00045
EPSS Percentile: 0.17502
Identifiers: GHSA-j4jw-m6xr-fv6c, CVE-2025-22130
References:
- https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-j4jw-m6xr-fv6c
- https://github.com/charmbracelet/soft-serve/commit/a8d1bf3f9349c138383b65079b7b8ad97fff78f4
- https://github.com/charmbracelet/soft-serve/releases/tag/v0.8.2
- https://nvd.nist.gov/vuln/detail/CVE-2025-22130
- https://github.com/advisories/GHSA-j4jw-m6xr-fv6c
Blast Radius: 0.0
Affected Packages
go:github.com/charmbracelet/soft-serve
Dependent packages: 3Dependent repositories: 1
Downloads:
Affected Version Ranges: < 0.8.2
Fixed in: 0.8.2
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.8.0, 0.8.1
All unaffected versions: 0.8.2