CVE-2025-58355: Soft Serve vulnerable to arbitrary file writing through SSH API

September 2, 2025 (updated September 4, 2025)

Attackers can create/override arbitrary files with uncontrolled data.

For a PoC, spin up an instance of soft-serve as explained in the README, and execute the following command:

ssh -p23231 localhost repo commit icecream -- --output=/tmp/pwned

It should have created a file in /tmp/pwned.

References

github.com/advisories/GHSA-33pr-m977-5w97
github.com/charmbracelet/soft-serve
github.com/charmbracelet/soft-serve/security/advisories/GHSA-33pr-m977-5w97
nvd.nist.gov/vuln/detail/CVE-2025-58355

Code Behaviors & Features

Detect and mitigate CVE-2025-58355 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →