What is CVE-2025-58355?

CVE-2025-58355 is a high-severity vulnerability in Charmbracelet Soft-serve, classified under Path Traversal. CVSS score: 7.7/10. Published 2025-09-03.

How severe is CVE-2025-58355?

High severity. CVSS v3 base score is 7.7 out of 10.

Path Traversal in Charmbracelet Soft-serve

CVE-2025-58355

Soft Serve is a self-hostable Git server for the command line. In versions 0.9.1 and below, attackers can create or override arbitrary files with uncontrolled data through its SSH API. This issue is fixed in version 0.10.0.

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.001 (29.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.7 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N.

Affected products

Charmbracelet Soft-serve — versions < 0.10.0

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-33pr-m977-5w97 (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2025-58355?: CVE-2025-58355 is a high-severity vulnerability in Charmbracelet Soft-serve, classified under Path Traversal. CVSS score: 7.7/10. Published 2025-09-03.
How severe is CVE-2025-58355?: High severity. CVSS v3 base score is 7.7 out of 10.