High severity8.1NVD Advisory· Published Aug 1, 2024· Updated Apr 15, 2026
CVE-2024-41956
CVE-2024-41956
Description
Soft Serve is a self-hostable Git server for the command line. Prior to 0.7.5, it is possible for a user who can commit files to a repository hosted by Soft Serve to execute arbitrary code via environment manipulation and Git. The issue is that Soft Serve passes all environment variables given by the client to git subprocesses. This includes environment variables that control program execution, such as LD_PRELOAD. This vulnerability is fixed in 0.7.5.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/charmbracelet/soft-serveGo | < 0.7.5 | 0.7.5 |
Patches
2876db8d25a194daebdd422a6sec: do not append session envs to git run (#544)
1 file changed · +0 −3
pkg/ssh/cmd/git.go+0 −3 modified@@ -202,9 +202,6 @@ func gitRunE(cmd *cobra.Command, args []string) error { ) } - // Add ssh session & config environ - s := sshutils.SessionFromContext(ctx) - envs = append(envs, s.Environ()...) envs = append(envs, cfg.Environ()...) repoPath := filepath.Join(reposDir, repoDir)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-m445-w3xr-vp2fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-41956ghsaADVISORY
- github.com/charmbracelet/soft-serve/commit/4daebdd422a6ba8c04162d023f8be355a8fe3184nvdWEB
- github.com/charmbracelet/soft-serve/security/advisories/GHSA-m445-w3xr-vp2fnvdWEB
- pkg.go.dev/vuln/GO-2024-3019ghsaWEB
News mentions
0No linked articles in our index yet.