cbcvebase.

Github.Com Charmbracelet Soft-Serve vulnerabilities

10 known vulnerabilities affecting github.com/charmbracelet_soft-serve.

Total CVEs
10
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH5MEDIUM3

Vulnerabilities

Page 1 of 1
CVE-2026-24058P2HIGH≥ 0, < 0.11.32026-01-21
CVE-2026-24058 [HIGH] CWE-289 Soft Serve Affected by an Authentication Bypass Soft Serve Affected by an Authentication Bypass ### Impact _What kind of vulnerability is it? Who is impacted?_ This issue impacts every Soft Serve instance. A critical authentication bypass allows an attacker to impersonate any user (including Admin) by "offering" the victim's public key during the SSH handshake before authenticating with their own valid key. This occurs because the user identity is stored in the s
ghsaosv
CVE-2026-30832P2CRITICAL≥ 0.6.0, < 0.11.42026-03-06
CVE-2026-30832 [CRITICAL] CWE-918 soft-serve vulnerable to SSRF via unvalidated LFS endpoint in repo import soft-serve vulnerable to SSRF via unvalidated LFS endpoint in repo import While auditing the codebase in the wake of the webhook SSRF fix shipped in v0.11.1 (GHSA-vwq2-jx9q-9h9f), it was identified that the LFS import path was never given the same treatment. The webhook fix introduced dual-layer SSRF protection — ValidateWebhookURL() at creation time and secureHTTPClient with IP validatio
ghsaosv
CVE-2025-22130P3MEDIUM≥ 0, < 0.8.22025-01-08
CVE-2025-22130 [MEDIUM] CWE-22 Soft Serve vulnerable to path traversal attacks Soft Serve vulnerable to path traversal attacks ### Impact Path traversal attack gives access to existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an admin user without explicitly giving them permissions. ### Patches This is patched in [v0.8.2](https://github.com/charmbracelet/soft-serve/releases/tag/v0
ghsaosv
CVE-2024-41956P3HIGH≥ 0, < 0.7.52024-08-02
CVE-2024-41956 [HIGH] CWE-78 soft-serve vulnerable to arbitrary code execution by crafting git-lfs requests soft-serve vulnerable to arbitrary code execution by crafting git-lfs requests ### Impact Any servers using soft-serve server and git ### Patches >0.7.5 ### Workarounds None. ### References n/a. --- It is possible for a user who can commit files to a repository hosted by Soft Serve to execute arbitrary code via environment manipulation and Git. The issue is that Soft Serve passes al
ghsaosv
CVE-2023-43809P3HIGH≥ 0, < 0.6.22023-10-02
CVE-2023-43809 [HIGH] CWE-287 Soft Serve Public Key Authentication Bypass Vulnerability when Keyboard-Interactive SSH Authentication is Enabled Soft Serve Public Key Authentication Bypass Vulnerability when Keyboard-Interactive SSH Authentication is Enabled ### Impact A security vulnerability in Soft Serve could allow an unauthenticated, remote attacker to bypass public key authentication when keyboard-interactive SSH authentication is active, through the `allow-keyless` setting, and the publi
ghsaosv
CVE-2025-58355P3HIGH≥ 0, < 0.10.02025-09-02
CVE-2025-58355 [HIGH] CWE-22 Soft Serve vulnerable to arbitrary file writing through SSH API Soft Serve vulnerable to arbitrary file writing through SSH API Attackers can create/override arbitrary files with uncontrolled data. For a PoC, spin up an instance of soft-serve as explained in the README, and execute the following command: ```sh ssh -p23231 localhost repo commit icecream -- --output=/tmp/pwned ``` It should have created a file in `/tmp/pwned`.
ghsaosv
CVE-2025-64522P3CRITICAL≥ 0, < 0.11.12025-11-10
CVE-2025-64522 [CRITICAL] CWE-918 Soft Serve is vulnerable to SSRF through its Webhooks Soft Serve is vulnerable to SSRF through its Webhooks SUMMARY We have identified and verified an SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints. AFFECTED COMPONENTS (VERIFIED) 1. Webhook Creation (pkg/ssh/cmd/webhooks.go:125) 2. Backend CreateWebhook (pkg/backend/web
ghsaosv
CVE-2026-33353P3HIGH≥ 0.6.0, < 0.11.62026-03-19
CVE-2026-33353 [HIGH] CWE-200 In Soft Serve, an authenticated repo import can clone server-local private repositories In Soft Serve, an authenticated repo import can clone server-local private repositories ### Summary An authorization flaw in `repo import` allows any authenticated SSH user to clone a server-local Git repository, including another user's private repo, into a new repository they control. This breaks the private-repository confidentiality boundary and should be treated as High sev
ghsaosv
CVE-2026-22253P4MEDIUM≥ 0, < 0.11.22026-01-08
CVE-2026-22253 [MEDIUM] CWE-863 Soft Serve is missing an authorization check in LFS lock deletion Soft Serve is missing an authorization check in LFS lock deletion ## LFS Lock Force-Delete Authorization Bypass ### Summary An authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the `force` flag. The vulnerable code path processes force deletions before retrieving user context, bypassing
ghsaosv
CVE-2025-64494P4MEDIUM≥ 0, < 0.11.02025-11-06
CVE-2025-64494 [MEDIUM] CWE-150 Soft Serve does not sanitize ANSI escape sequences in user input Soft Serve does not sanitize ANSI escape sequences in user input ### Impact In several places where the user can insert data (e.g. names), ANSI escape sequences are not being removed, which can then be used, for example, to show fake alerts. In the same token, git messages, when printed, are also not being sanitized. Places in which this was found: 1. Repository Description (pkg/backend/repo.go -
ghsaosv
Github.Com Charmbracelet Soft-Serve vulnerabilities | cvebase