Cyber Resilience

CVE-2025-22130

Medium

Published: 08 January 2025

Published
08 January 2025
Modified
06 November 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0057 69.0th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22130 is a medium-severity Path Traversal (CWE-22) vulnerability in Charm Soft Serve. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 31.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-22130 is a path traversal vulnerability (CWE-22) in Soft Serve, a self-hostable Git server designed for command-line use. Versions prior to 0.8.2 are affected, where the flaw enables unauthorized access to repository paths. Published on January 8, 2025, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The vulnerability can be exploited by existing non-administrative users over the network with low attack complexity and no user interaction required. Attackers with low privileges can traverse paths to access, take over, modify, delete, or arbitrarily manage other users' repositories, effectively gaining administrative-like control without explicit permissions.

Mitigation is available in Soft Serve version 0.8.2, which patches the issue. Administrators should upgrade immediately. Key resources include the fixing commit at https://github.com/charmbracelet/soft-serve/commit/a8d1bf3f9349c138383b65079b7b8ad97fff78f4, release notes at https://github.com/charmbracelet/soft-serve/releases/tag/v0.8.2, and the GitHub security advisory at https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-j4jw-m6xr-fv6c.

EU & UK References

Vulnerability details

Soft Serve is a self-hostable Git server for the command line. Prior to 0.8.2 , a path traversal attack allows existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily…

more

repositories as if they were an admin user without explicitly giving them permissions. This is patched in v0.8.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Path traversal in public-facing Git server directly enables remote exploitation by low-priv users to achieve unauthorized repo access/modification and administrative control (privilege escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-30832Same product: Charm Soft Serve
CVE-2026-24058Same product: Charm Soft Serve
CVE-2026-41589Same vendor: Charm
CVE-2025-62630Shared CWE-22
CVE-2025-60786Shared CWE-22
CVE-2025-27590Shared CWE-22
CVE-2025-12422Shared CWE-22
CVE-2026-42520Shared CWE-22
CVE-2026-32727Shared CWE-22
CVE-2026-40258Shared CWE-22

Affected Assets

charm
soft serve
≤ 0.8.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates user-supplied repository path inputs to prevent traversal sequences that allow non-admin users to access unauthorized repositories.

prevent

Enforces approved authorizations for access to repository resources, blocking path traversal attempts by non-admin users.

prevent

Requires timely identification, reporting, and correction of flaws like this path traversal vulnerability via patching to version 0.8.2.

References