Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-22130

CVE-2025-22130: Charm Soft Serve Path Traversal Vulnerability

CVE-2025-22130 is a path traversal flaw in Charm Soft Serve that allows non-admin users to access and take over other users' repositories. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-22130 Overview

CVE-2025-22130 is a path traversal vulnerability [CWE-22] in Soft Serve, a self-hostable Git server for the command line developed by Charm. Versions prior to 0.8.2 allow authenticated non-admin users to traverse outside their authorized repository scope. An attacker exploiting this flaw can access, modify, and delete repositories belonging to other users without holding administrative privileges. The issue is resolved in Soft Serve v0.8.2.

Critical Impact

Authenticated non-admin users can take over arbitrary repositories on a Soft Serve instance, bypassing the server's access control model and gaining admin-equivalent control over targeted repositories.

Affected Products

  • Charm Soft Serve versions prior to 0.8.2
  • Self-hosted Git server deployments using the affected Go module charm:soft_serve
  • Multi-tenant Soft Serve instances exposing repositories to non-admin authenticated users

Discovery Timeline

  • 2025-01-08 - CVE-2025-22130 published to NVD
  • 2025-01-08 - Charm releases security advisory GHSA-j4jw-m6xr-fv6c and patched version v0.8.2
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-22130

Vulnerability Analysis

The vulnerability stems from improper sanitization of repository path inputs in Soft Serve's request handling layer. Soft Serve resolves repository identifiers supplied by authenticated clients against the server's repository directory. When the input contains traversal sequences, the resolver follows them outside the user's permitted scope. The server then applies the original requesting user's session as if they owned the targeted repository.

Because permission checks are tied to the resolved path rather than ownership of the underlying repository, the attacker inherits effective admin rights over the targeted resource. This allows reading private code, pushing arbitrary commits, rewriting history, and deleting repositories belonging to other users. The flaw maps to [CWE-22], Improper Limitation of a Pathname to a Restricted Directory.

Root Cause

The root cause is missing canonicalization and authorization enforcement on repository path parameters. Soft Serve trusted user-supplied repository identifiers without verifying that the resolved path remained within the requesting user's authorized namespace. The fix introduced in commit a8d1bf3f9349c138383b65079b7b8ad97fff78f4 adds path validation to reject traversal sequences and enforces ownership checks against the canonical path.

Attack Vector

Exploitation requires network access to the Soft Serve instance and valid low-privilege credentials. An authenticated non-admin user issues Git or SSH protocol requests containing crafted repository references that include path traversal sequences such as ../. The server resolves these references to repositories outside the attacker's namespace and grants the session full control over them. No user interaction from the victim is needed, and exploitation does not require elevated privileges beyond a standard account.

No public proof-of-concept exploit is currently listed in Exploit-DB or referenced in the advisory. Technical details of the patch are available in the GitHub Security Advisory GHSA-j4jw-m6xr-fv6c and the fix commit.

Detection Methods for CVE-2025-22130

Indicators of Compromise

  • Git protocol requests or SSH commands containing .., ../, or URL-encoded traversal sequences (%2e%2e%2f) in repository path parameters
  • Repository write, delete, or settings-change events performed by users who are not the owner and lack admin role
  • Unexpected force-push, branch deletion, or history rewrite events on repositories owned by other users
  • Authentication logs showing low-privilege accounts accessing repositories outside their assigned namespace

Detection Strategies

  • Parse Soft Serve access logs for repository identifiers containing traversal characters and correlate against the authenticated user's owned repositories.
  • Audit Git reflog and server-side repository event history for commits, tag changes, or deletions attributed to non-owner, non-admin users.
  • Compare the requesting user identity against the resolved repository owner for every administrative action and alert on mismatches.

Monitoring Recommendations

  • Forward Soft Serve SSH and HTTP access logs to a centralized logging platform and apply detection rules for path traversal patterns in repository fields.
  • Monitor for sudden spikes in repository deletion, permission changes, or force-pushes performed by accounts that do not normally administer those repositories.
  • Track outbound Git clone volume per user account to identify bulk exfiltration of repositories the user does not own.

How to Mitigate CVE-2025-22130

Immediate Actions Required

  • Upgrade all Soft Serve instances to version 0.8.2 or later without delay.
  • Rotate SSH keys and access tokens for any account that may have been used to exploit the vulnerability or whose repositories may have been altered.
  • Audit repository contents, branch protection settings, and commit history on the server to identify unauthorized modifications introduced before patching.

Patch Information

The vulnerability is fixed in Soft Serve v0.8.2. The patch is implemented in commit a8d1bf3f9349c138383b65079b7b8ad97fff78f4 and documented in GitHub Release v0.8.2. Administrators should pull the updated container image or Go binary, restart the service, and verify the version reported by soft serve version matches 0.8.2 or newer.

Workarounds

  • Restrict Soft Serve to trusted users only by removing or disabling non-admin accounts until the upgrade is applied.
  • Place the Soft Serve instance behind a network access control list or VPN to limit exposure to authenticated, vetted users.
  • Enable verbose access logging and review activity by non-admin accounts daily until the patched version is deployed.
bash
# Verify the running Soft Serve version after upgrade
soft serve version

# Example: upgrade via Go install to the patched release
go install github.com/charmbracelet/soft-serve/cmd/soft@v0.8.2

# Restart the service after upgrading
systemctl restart soft-serve

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.