High severity7.7OSV Advisory· Published Sep 4, 2025· Updated Apr 15, 2026

CVE-2025-58355

Description

Soft Serve is a self-hostable Git server for the command line. In versions 0.9.1 and below, attackers can create or override arbitrary files with uncontrolled data through its SSH API. This issue is fixed in version 0.10.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/charmbracelet/soft-serveGo	< 0.10.0	0.10.0

Affected products

Charmbracelet/Soft ServeOSV
Range: v0.1.0, v0.1.1, v0.1.2, …

Patches

6856877cd42a

feat: add readiness and liveness probes for self healing (#734)

https://github.com/charmbracelet/soft-serveJay MaddenAug 27, 2025via osv

commit

2 files changed · +37 −0

pkg/web/health.go+34 −0 added

@@ -0,0 +1,34 @@
+package web
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/charmbracelet/log/v2"
+	"github.com/charmbracelet/soft-serve/pkg/db"
+	"github.com/gorilla/mux"
+)
+
+// HealthController registers the health check routes for the web server.
+func HealthController(_ context.Context, r *mux.Router) {
+	r.HandleFunc("/livez", getLiveness)
+	r.HandleFunc("/readyz", getReadiness)
+}
+
+func getLiveness(w http.ResponseWriter, _ *http.Request) {
+	renderStatus(http.StatusOK)(w, nil)
+}
+
+func getReadiness(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	logger := log.FromContext(ctx)
+	db := db.FromContext(ctx)
+
+	if err := db.PingContext(ctx); err != nil {
+		logger.Error("error getting db readiness", "err", err)
+		renderStatus(http.StatusServiceUnavailable)(w, nil)
+		return
+	}
+
+	renderStatus(http.StatusOK)(w, nil)
+}

pkg/web/server.go+3 −0 modified

@@ -14,6 +14,9 @@ func NewRouter(ctx context.Context) http.Handler {
 	logger := log.FromContext(ctx).WithPrefix("http")
 	router := mux.NewRouter()
 
+	// Health routes
+	HealthController(ctx, router)
+
 	// Git routes
 	GitController(ctx, router)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-33pr-m977-5w97ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-58355ghsaADVISORY
github.com/charmbracelet/soft-serve/security/advisories/GHSA-33pr-m977-5w97nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.501
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000