Charmbracelet Soft-Serve vulnerabilities
10 known vulnerabilities affecting charmbracelet/soft-serve.
Total CVEs
10
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH5MEDIUM3
Vulnerabilities
Page 1 of 1
CVE-2026-24058P2CRITICALCVSS 9.8fixed in 0.11.32026-01-22
CVE-2026-24058 [CRITICAL] CWE-289 CVE-2026-24058: Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a crit
Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by "offering" the victim's public key during the SSH handshake before authenticating with their own valid key. This occurs because the user id
nvd
CVE-2026-30832P2CRITICALCVSS 9.1v>= 0.6.0, < 0.11.42026-03-07
CVE-2026-30832 [CRITICAL] CWE-918 CVE-2026-30832: Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version
Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.4, an authenticated SSH user can force the server to make HTTP requests to internal/private IP addresses by running repo import with a crafted --lfs-endpoint URL. The initial batch request is blind (the response from a metadata endpoint won't pa
nvd
CVE-2025-22130P3HIGHCVSS 8.8fixed in 0.8.22025-01-08
CVE-2025-22130 [HIGH] CWE-22 CVE-2025-22130: Soft Serve is a self-hostable Git server for the command line. Prior to 0.8.2 , a path traversal att
Soft Serve is a self-hostable Git server for the command line. Prior to 0.8.2 , a path traversal attack allows existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an admin user without explicitly giving them permissions. This is patched in v0.
nvd
CVE-2024-41956P3HIGHCVSS 8.1fixed in 0.7.52024-08-01
CVE-2024-41956 [HIGH] CWE-78 CVE-2024-41956: Soft Serve is a self-hostable Git server for the command line. Prior to 0.7.5, it is possible for a
Soft Serve is a self-hostable Git server for the command line. Prior to 0.7.5, it is possible for a user who can commit files to a repository hosted by Soft Serve to execute arbitrary code via environment manipulation and Git. The issue is that Soft Serve passes all environment variables given by the client to git subprocesses. This includes environment
nvd
CVE-2023-43809P3HIGHCVSS 7.5fixed in 0.6.22023-10-04
CVE-2023-43809 [HIGH] CWE-287 CVE-2023-43809: Soft Serve is a self-hostable Git server for the command line. Prior to version 0.6.2, a security vu
Soft Serve is a self-hostable Git server for the command line. Prior to version 0.6.2, a security vulnerability in Soft Serve could allow an unauthenticated, remote attacker to bypass public key authentication when keyboard-interactive SSH authentication is active, through the `allow-keyless` setting, and the public key requires additional client-side
nvd
CVE-2025-58355P3HIGHCVSS 7.7fixed in 0.10.02025-09-04
CVE-2025-58355 [HIGH] CWE-22 CVE-2025-58355: Soft Serve is a self-hostable Git server for the command line. In versions 0.9.1 and below, attacker
Soft Serve is a self-hostable Git server for the command line. In versions 0.9.1 and below, attackers can create or override arbitrary files with uncontrolled data through its SSH API. This issue is fixed in version 0.10.0.
nvd
CVE-2025-64522P3HIGHCVSS 7.6fixed in 0.11.12025-11-10
CVE-2025-64522 [HIGH] CWE-918 CVE-2025-64522: Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF
Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints. Version 0.11.1 fixes the vulnerability.
nvd
CVE-2026-33353P3MEDIUMCVSS 6.5v>= 0.6.0, < 0.11.62026-03-24
CVE-2026-33353 [MEDIUM] CWE-200 CVE-2026-33353: Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version
Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.6, an authorization flaw in repo import allows any authenticated SSH user to clone a server-local Git repository, including another user's private repo, into a new repository they control. This issue has been patched in version 0.11.6.
nvd
CVE-2026-22253P4MEDIUMCVSS 5.4fixed in 0.11.22026-01-08
CVE-2026-22253 [MEDIUM] CWE-863 CVE-2026-22253: Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authoriza
Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulnerable code path processes force deletions before retrieving user context,
nvd
CVE-2025-64494P4MEDIUMCVSS 4.6≤ 0.10.02025-11-08
CVE-2025-64494 [MEDIUM] CWE-150 CVE-2025-64494: Soft Serve is a self-hostable Git server for the command line. In versions prior to 0.10.0, there ar
Soft Serve is a self-hostable Git server for the command line. In versions prior to 0.10.0, there are several places where the user can insert data (e.g. names) and ANSI escape sequences are not being removed, which can then be used, for example, to show fake alerts. In the same token, git messages, when printed, are also not being sanitized. This i
nvd