CVE-2026-30832

Name of the Vulnerable Software and Affected Versions Soft Serve versions 0.6.0 through 0.11.3

Description Soft Serve, a self-hostable Git server, contains a server-side request forgery (SSRF) issue. An authenticated SSH user can manipulate the server to make HTTP requests to internal or private IP addresses by utilizing the repo import command with a specially crafted --lfs-endpoint URL. The initial request is blind, but an attacker hosting a fake LFS server can leverage this to gain full read access to internal services by providing download URLs that point to internal targets. The vulnerability stems from the lack of validation of the user-controlled endpoint and the use of an unprotected HTTP client. The issue persists even after the webhook SSRF fix in version 0.11.1, as it only addresses the webhook functionality and not the LFS import path. The vulnerability can be exploited through mirror synchronization, creating persistent SSRF that repeats on every scheduled sync. The attack involves two stages: a blind SSRF to confirm reachability and reading internal responses via a fake LFS server. This allows attackers to perform port scanning, discover services, steal cloud credentials, access internal APIs, and establish persistence.

Recommendations Versions prior to 0.11.4 are vulnerable. Apply the suggested fix: Replace http.DefaultClient in pkg/lfs/http client.go with a secure client using ValidateIPBeforeDial in the transport and http.ErrUseLastResponse in CheckRedirect. Validate the endpoint URL in pkg/backend/repo.go and pkg/jobs/mirror.go using the same checks ValidateWebhookURL performs.