Headline
GHSA-33pr-m977-5w97: Soft Serve vulnerable to arbitrary file writing through SSH API
Attackers can create/override arbitrary files with uncontrolled data.
For a PoC, spin up an instance of soft-serve as explained in the README, and execute the following command:
ssh -p23231 localhost repo commit icecream -- --output=/tmp/pwned
It should have created a file in /tmp/pwned.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-58355
Soft Serve vulnerable to arbitrary file writing through SSH API
High severity GitHub Reviewed Published Sep 2, 2025 in charmbracelet/soft-serve • Updated Sep 2, 2025
Package
gomod github.com/charmbracelet/soft-serve (Go)
Affected versions
< 0.10.0
Attackers can create/override arbitrary files with uncontrolled data.
For a PoC, spin up an instance of soft-serve as explained in the README, and execute the following command:
ssh -p23231 localhost repo commit icecream – --output=/tmp/pwned
It should have created a file in /tmp/pwned.
References
- GHSA-33pr-m977-5w97
Published to the GitHub Advisory Database
Sep 2, 2025