Go modules package
github.com/charmbracelet/soft-serve
pkg:golang/github.com/charmbracelet/soft-serve
Vulnerabilities (10)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33353 | — | >= 0.6.0, < 0.11.6 | 0.11.6 | Mar 24, 2026 | Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.6, an authorization flaw in repo import allows any authenticated SSH user to clone a server-local Git repository, including another user's private repo, into a new repository | ||
| CVE-2026-30832 | — | >= 0.6.0, < 0.11.4 | 0.11.4 | Mar 7, 2026 | Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.4, an authenticated SSH user can force the server to make HTTP requests to internal/private IP addresses by running repo import with a crafted --lfs-endpoint URL. The initial | ||
| CVE-2026-24058 | — | < 0.11.3 | 0.11.3 | Jan 22, 2026 | Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by "offering" the victim's public key during the SSH handshake before aut | ||
| CVE-2026-22253 | — | < 0.11.2 | 0.11.2 | Jan 8, 2026 | Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulnera | ||
| CVE-2025-64522 | — | < 0.11.1 | 0.11.1 | Nov 10, 2025 | Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoint | ||
| CVE-2025-64494 | Med | 4.6 | < 0.11.0 | 0.11.0 | Nov 8, 2025 | Soft Serve is a self-hostable Git server for the command line. In versions prior to 0.10.0, there are several places where the user can insert data (e.g. names) and ANSI escape sequences are not being removed, which can then be used, for example, to show fake alerts. In the same | |
| CVE-2025-58355 | Hig | 7.7 | < 0.10.0 | 0.10.0 | Sep 4, 2025 | Soft Serve is a self-hostable Git server for the command line. In versions 0.9.1 and below, attackers can create or override arbitrary files with uncontrolled data through its SSH API. This issue is fixed in version 0.10.0. | |
| CVE-2025-22130 | — | < 0.8.2 | 0.8.2 | Jan 8, 2025 | Soft Serve is a self-hostable Git server for the command line. Prior to 0.8.2 , a path traversal attack allows existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an adm | ||
| CVE-2024-41956 | Hig | 8.1 | < 0.7.5 | 0.7.5 | Aug 1, 2024 | Soft Serve is a self-hostable Git server for the command line. Prior to 0.7.5, it is possible for a user who can commit files to a repository hosted by Soft Serve to execute arbitrary code via environment manipulation and Git. The issue is that Soft Serve passes all environment v | |
| CVE-2023-43809 | — | < 0.6.2 | 0.6.2 | Oct 4, 2023 | Soft Serve is a self-hostable Git server for the command line. Prior to version 0.6.2, a security vulnerability in Soft Serve could allow an unauthenticated, remote attacker to bypass public key authentication when keyboard-interactive SSH authentication is active, through the `a |
- CVE-2026-33353Mar 24, 2026affected >= 0.6.0, < 0.11.6fixed 0.11.6
Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.6, an authorization flaw in repo import allows any authenticated SSH user to clone a server-local Git repository, including another user's private repo, into a new repository
- CVE-2026-30832Mar 7, 2026affected >= 0.6.0, < 0.11.4fixed 0.11.4
Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.4, an authenticated SSH user can force the server to make HTTP requests to internal/private IP addresses by running repo import with a crafted --lfs-endpoint URL. The initial
- CVE-2026-24058Jan 22, 2026affected < 0.11.3fixed 0.11.3
Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by "offering" the victim's public key during the SSH handshake before aut
- CVE-2026-22253Jan 8, 2026affected < 0.11.2fixed 0.11.2
Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulnera
- CVE-2025-64522Nov 10, 2025affected < 0.11.1fixed 0.11.1
Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoint
- affected < 0.11.0fixed 0.11.0
Soft Serve is a self-hostable Git server for the command line. In versions prior to 0.10.0, there are several places where the user can insert data (e.g. names) and ANSI escape sequences are not being removed, which can then be used, for example, to show fake alerts. In the same
- affected < 0.10.0fixed 0.10.0
Soft Serve is a self-hostable Git server for the command line. In versions 0.9.1 and below, attackers can create or override arbitrary files with uncontrolled data through its SSH API. This issue is fixed in version 0.10.0.
- CVE-2025-22130Jan 8, 2025affected < 0.8.2fixed 0.8.2
Soft Serve is a self-hostable Git server for the command line. Prior to 0.8.2 , a path traversal attack allows existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an adm
- affected < 0.7.5fixed 0.7.5
Soft Serve is a self-hostable Git server for the command line. Prior to 0.7.5, it is possible for a user who can commit files to a repository hosted by Soft Serve to execute arbitrary code via environment manipulation and Git. The issue is that Soft Serve passes all environment v
- CVE-2023-43809Oct 4, 2023affected < 0.6.2fixed 0.6.2
Soft Serve is a self-hostable Git server for the command line. Prior to version 0.6.2, a security vulnerability in Soft Serve could allow an unauthenticated, remote attacker to bypass public key authentication when keyboard-interactive SSH authentication is active, through the `a