Refine your search
5 vulnerabilities found for soft-serve by charmbracelet
CVE-2025-64522 (GCVE-0-2025-64522)
Vulnerability from nvd
Published
2025-11-10 22:11
Modified
2025-11-12 20:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints. Version 0.11.1 fixes the vulnerability.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| charmbracelet | soft-serve |
Version: < 0.11.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64522",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T17:34:16.843213Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T20:13:12.894Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-vwq2-jx9q-9h9f"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "soft-serve",
"vendor": "charmbracelet",
"versions": [
{
"status": "affected",
"version": "\u003c 0.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints. Version 0.11.1 fixes the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T22:11:18.863Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-vwq2-jx9q-9h9f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-vwq2-jx9q-9h9f"
},
{
"name": "https://github.com/charmbracelet/soft-serve/commit/bb73b9a0eea0d902da4811420535842a4f9aae3b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/charmbracelet/soft-serve/commit/bb73b9a0eea0d902da4811420535842a4f9aae3b"
},
{
"name": "https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.1"
}
],
"source": {
"advisory": "GHSA-vwq2-jx9q-9h9f",
"discovery": "UNKNOWN"
},
"title": "Soft Serve is vulnerable to SSRF through its Webhooks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64522",
"datePublished": "2025-11-10T22:11:18.863Z",
"dateReserved": "2025-11-05T21:15:39.401Z",
"dateUpdated": "2025-11-12T20:13:12.894Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64494 (GCVE-0-2025-64494)
Vulnerability from nvd
Published
2025-11-08 01:19
Modified
2025-11-10 15:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences
Summary
Soft Serve is a self-hostable Git server for the command line. In versions prior to 0.10.0, there are several places where the user can insert data (e.g. names) and ANSI escape sequences are not being removed, which can then be used, for example, to show fake alerts. In the same token, git messages, when printed, are also not being sanitized. This issue is fixed in version 0.10.0.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| charmbracelet | soft-serve |
Version: <= 0.10.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64494",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-10T15:10:37.122847Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T15:11:01.604Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "soft-serve",
"vendor": "charmbracelet",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Soft Serve is a self-hostable Git server for the command line. In versions prior to 0.10.0, there are several places where the user can insert data (e.g. names) and ANSI escape sequences are not being removed, which can then be used, for example, to show fake alerts. In the same token, git messages, when printed, are also not being sanitized. This issue is fixed in version 0.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-150",
"description": "CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-08T01:19:01.203Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-fv2r-r8mp-pg48",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-fv2r-r8mp-pg48"
},
{
"name": "https://github.com/charmbracelet/soft-serve/commit/d9639320b8d0ccd76fe6836a042c042b0ebde549",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/charmbracelet/soft-serve/commit/d9639320b8d0ccd76fe6836a042c042b0ebde549"
}
],
"source": {
"advisory": "GHSA-fv2r-r8mp-pg48",
"discovery": "UNKNOWN"
},
"title": "Soft Serve does not sanitize ANSI escape sequences in user input"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64494",
"datePublished": "2025-11-08T01:19:01.203Z",
"dateReserved": "2025-11-05T19:12:25.103Z",
"dateUpdated": "2025-11-10T15:11:01.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22130 (GCVE-0-2025-22130)
Vulnerability from nvd
Published
2025-01-08 15:43
Modified
2025-01-08 19:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Soft Serve is a self-hostable Git server for the command line. Prior to 0.8.2 , a path traversal attack allows existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an admin user without explicitly giving them permissions. This is patched in v0.8.2.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| charmbracelet | soft-serve |
Version: < 0.8.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22130",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-08T19:15:58.063589Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T19:16:13.209Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "soft-serve",
"vendor": "charmbracelet",
"versions": [
{
"status": "affected",
"version": "\u003c 0.8.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Soft Serve is a self-hostable Git server for the command line. Prior to 0.8.2 , a path traversal attack allows existing non-admin users to access and take over other user\u0027s repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an admin user without explicitly giving them permissions. This is patched in v0.8.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T15:43:05.244Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-j4jw-m6xr-fv6c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-j4jw-m6xr-fv6c"
},
{
"name": "https://github.com/charmbracelet/soft-serve/commit/a8d1bf3f9349c138383b65079b7b8ad97fff78f4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/charmbracelet/soft-serve/commit/a8d1bf3f9349c138383b65079b7b8ad97fff78f4"
},
{
"name": "https://github.com/charmbracelet/soft-serve/releases/tag/v0.8.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/charmbracelet/soft-serve/releases/tag/v0.8.2"
}
],
"source": {
"advisory": "GHSA-j4jw-m6xr-fv6c",
"discovery": "UNKNOWN"
},
"title": "Soft Serve allows path traversal attacks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-22130",
"datePublished": "2025-01-08T15:43:05.244Z",
"dateReserved": "2024-12-30T03:00:33.652Z",
"dateUpdated": "2025-01-08T19:16:13.209Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-64522 (GCVE-0-2025-64522)
Vulnerability from cvelistv5
Published
2025-11-10 22:11
Modified
2025-11-12 20:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints. Version 0.11.1 fixes the vulnerability.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| charmbracelet | soft-serve |
Version: < 0.11.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64522",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T17:34:16.843213Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T20:13:12.894Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-vwq2-jx9q-9h9f"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "soft-serve",
"vendor": "charmbracelet",
"versions": [
{
"status": "affected",
"version": "\u003c 0.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints. Version 0.11.1 fixes the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T22:11:18.863Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-vwq2-jx9q-9h9f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-vwq2-jx9q-9h9f"
},
{
"name": "https://github.com/charmbracelet/soft-serve/commit/bb73b9a0eea0d902da4811420535842a4f9aae3b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/charmbracelet/soft-serve/commit/bb73b9a0eea0d902da4811420535842a4f9aae3b"
},
{
"name": "https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.1"
}
],
"source": {
"advisory": "GHSA-vwq2-jx9q-9h9f",
"discovery": "UNKNOWN"
},
"title": "Soft Serve is vulnerable to SSRF through its Webhooks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64522",
"datePublished": "2025-11-10T22:11:18.863Z",
"dateReserved": "2025-11-05T21:15:39.401Z",
"dateUpdated": "2025-11-12T20:13:12.894Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64494 (GCVE-0-2025-64494)
Vulnerability from cvelistv5
Published
2025-11-08 01:19
Modified
2025-11-10 15:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences
Summary
Soft Serve is a self-hostable Git server for the command line. In versions prior to 0.10.0, there are several places where the user can insert data (e.g. names) and ANSI escape sequences are not being removed, which can then be used, for example, to show fake alerts. In the same token, git messages, when printed, are also not being sanitized. This issue is fixed in version 0.10.0.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| charmbracelet | soft-serve |
Version: <= 0.10.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64494",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-10T15:10:37.122847Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T15:11:01.604Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "soft-serve",
"vendor": "charmbracelet",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Soft Serve is a self-hostable Git server for the command line. In versions prior to 0.10.0, there are several places where the user can insert data (e.g. names) and ANSI escape sequences are not being removed, which can then be used, for example, to show fake alerts. In the same token, git messages, when printed, are also not being sanitized. This issue is fixed in version 0.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-150",
"description": "CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-08T01:19:01.203Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-fv2r-r8mp-pg48",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-fv2r-r8mp-pg48"
},
{
"name": "https://github.com/charmbracelet/soft-serve/commit/d9639320b8d0ccd76fe6836a042c042b0ebde549",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/charmbracelet/soft-serve/commit/d9639320b8d0ccd76fe6836a042c042b0ebde549"
}
],
"source": {
"advisory": "GHSA-fv2r-r8mp-pg48",
"discovery": "UNKNOWN"
},
"title": "Soft Serve does not sanitize ANSI escape sequences in user input"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64494",
"datePublished": "2025-11-08T01:19:01.203Z",
"dateReserved": "2025-11-05T19:12:25.103Z",
"dateUpdated": "2025-11-10T15:11:01.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}