CVE-2025-22130

Name of the Vulnerable Software and Affected Versions Soft Serve versions prior to 0.8.2

Description Soft Serve is a self-hostable Git server for the command line. A path traversal attack allows existing non-admin users to access and take over other user's repositories. A malicious user can modify, delete, and access repositories arbitrarily as if they were an admin user without explicitly giving them permissions.

Recommendations For versions prior to 0.8.2, upgrade to version 0.8.2 to patch the vulnerability. As a temporary workaround for multi-user set-ups, consider disabling repository creation for users until the upgrade is applied. Single user set-ups are not affected and do not require any action.