Overview

This report details the vulnerability identified as CVE-2025-58355 in the self-hostable Git server, Soft Serve. It affects versions 0.9.1 and below of the software, posing a significant security risk due to the possibility of arbitrary file creation or overriding through its SSH API. This is a matter of grave concern as it could enable an attacker to compromise the system or leak data.

Vulnerability Summary

CVE ID: CVE-2025-58355
Severity: High (7.7 CVSS score)
Attack Vector: Network (via SSH API)
Privileges Required: Low
User Interaction: None
Impact: System compromise, data leakage

Affected Products

Product | Affected Versions

Soft Serve Git Server | 0.9.1 and below

How the Exploit Works

An attacker can exploit this vulnerability by sending malicious requests over the SSH API. The requests can contain uncontrolled data that can be used to create new files or overwrite existing ones on the system. The lack of proper data validation exacerbates this vulnerability.

Conceptual Example Code

A conceptual example of how the vulnerability might be exploited could look like this:

ssh -p 2222 user@target.example.com 'echo arbitrary_data > /path/to/vulnerable/file'

In this example, the attacker uses SSH to connect to the target server, then uses the echo command to write arbitrary data to a file. The path to the file is specified directly in the command, allowing the attacker to target specific files.

Mitigation Guidance

The most effective way to mitigate this vulnerability is to apply the vendor patch, which is provided in Soft Serve Git Server version 0.10.0. If an immediate update is not possible, deploying a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can serve as a temporary mitigation measure. These tools can help detect and prevent malicious SSH requests from reaching the server. However, these are not long-term solutions, and updating to a patched version is strongly recommended as soon as feasible.