Deadpixi

**Name of the Vulnerable Software and Affected Versions** Soft Serve versions prior to 0.7.5 **Description** The issue is related to Soft Serve passing all environment variables given by the client to git subprocesses, including variables that control program execution, such as `LD PRELOAD`. This can be exploited to execute arbitrary code by uploading a malicious shared object file to Soft Serve via Git LFS and referencing it in `LD PRELOAD` via a Soft Serve SSH session. For example, an attacker can use the `LD PRELOAD` variable to execute a shell by patching a shared library function called by git. **Recommendations** For versions prior to 0.7.5, update to version 0.7.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the `LD PRELOAD` environment variable to minimize the risk of exploitation. Additionally, avoid using Git LFS to upload malicious files until the issue is resolved.