CVE-2025-22130

High

Published: 08 January 2025

Published

08 January 2025

Modified

06 November 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0042 61.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22130 is a high-severity Path Traversal (CWE-22) vulnerability in Charm Soft Serve. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 38.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates user-supplied repository path inputs to prevent traversal sequences that allow non-admin users to access unauthorized repositories.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to repository resources, blocking path traversal attempts by non-admin users.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of flaws like this path traversal vulnerability via patching to version 0.8.2.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Path traversal in public-facing Git server directly enables remote exploitation by low-priv users to achieve unauthorized repo access/modification and administrative control (privilege escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Soft Serve is a self-hostable Git server for the command line. Prior to 0.8.2 , a path traversal attack allows existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily…

repositories as if they were an admin user without explicitly giving them permissions. This is patched in v0.8.2.

Deeper analysisAI

CVE-2025-22130 is a path traversal vulnerability (CWE-22) in Soft Serve, a self-hostable Git server designed for command-line use. Versions prior to 0.8.2 are affected, where the flaw enables unauthorized access to repository paths. Published on January 8, 2025, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The vulnerability can be exploited by existing non-administrative users over the network with low attack complexity and no user interaction required. Attackers with low privileges can traverse paths to access, take over, modify, delete, or arbitrarily manage other users' repositories, effectively gaining administrative-like control without explicit permissions.

Mitigation is available in Soft Serve version 0.8.2, which patches the issue. Administrators should upgrade immediately. Key resources include the fixing commit at https://github.com/charmbracelet/soft-serve/commit/a8d1bf3f9349c138383b65079b7b8ad97fff78f4, release notes at https://github.com/charmbracelet/soft-serve/releases/tag/v0.8.2, and the GitHub security advisory at https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-j4jw-m6xr-fv6c.