CVE-2025-22130HIGH 8.8EPSS p46.4%

CVE-2025-22130CVE-2025-22130

Description

Soft Serve is a self-hostable Git server for the command line. Prior to 0.8.2 , a path traversal attack allows existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an admin user without explicitly giving them permissions. This is patched in v0.8.2.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.65% probability of exploitation · percentile 46.4% · 2026-06-19T12:03:05Z
Published2025-01-08
Last modified2025-11-06

Underlying weaknesses· 1

CWE-22

References

  1. https://github.com/charmbracelet/soft-serve/commit/a8d1bf3f9349c138383b65079b7b8ad97fff78f4
  2. https://github.com/charmbracelet/soft-serve/releases/tag/v0.8.2
  3. https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-j4jw-m6xr-fv6c

1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-24058
CVE
CVE-2026-30832
CVE
CVE-2026-28292
CVE
CVE-2025-46835
CVE
CVE-2025-64111
CVE
CVE-2025-40549
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.