CVE-2024-41956

Name of the Vulnerable Software and Affected Versions Soft Serve versions prior to 0.7.5

Description The issue is related to Soft Serve passing all environment variables given by the client to git subprocesses, including variables that control program execution, such as LD PRELOAD. This can be exploited to execute arbitrary code by uploading a malicious shared object file to Soft Serve via Git LFS and referencing it in LD PRELOAD via a Soft Serve SSH session. For example, an attacker can use the LD PRELOAD variable to execute a shell by patching a shared library function called by git.

Recommendations For versions prior to 0.7.5, update to version 0.7.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the LD PRELOAD environment variable to minimize the risk of exploitation. Additionally, avoid using Git LFS to upload malicious files until the issue is resolved.