Plattform
go
Komponente
github.com/charmbracelet/soft-serve
Behoben in
0.10.1
0.10.0
CVE-2025-58355 describes an Arbitrary File Access vulnerability discovered in Soft Serve, a Go-based SSH server implementation. This flaw allows an attacker to write arbitrary files through the SSH API, potentially leading to unauthorized code execution and system compromise. The vulnerability affects versions of Soft Serve prior to 0.10.0, and a patch has been released to address the issue.
The primary impact of CVE-2025-58355 is the ability for an attacker to write arbitrary files to the server's filesystem. This can be exploited to overwrite critical system files, inject malicious code (e.g., a reverse shell), or modify configuration files to gain persistent access. The blast radius extends to any data accessible by the user account under which Soft Serve is running. Successful exploitation could lead to complete system takeover and data exfiltration. While no immediate real-world exploits have been publicly reported, the ease of exploitation via the SSH API makes this a significant risk.
CVE-2025-58355 was publicly disclosed on 2025-09-08. The vulnerability's ease of exploitation, combined with the widespread use of SSH, suggests a potential for active exploitation. There are currently no known public exploits or KEV listings, but the vulnerability's severity warrants close monitoring. The EPSS score is likely to be medium, reflecting the potential for widespread exploitation.
Organizations using Soft Serve as an SSH server, particularly those with exposed SSH APIs or limited access controls, are at risk. Development teams relying on Soft Serve within their Go applications should also prioritize patching. Shared hosting environments utilizing Soft Serve are particularly vulnerable due to the potential for cross-tenant exploitation.
• go / server:
find / -name "soft_serve" -type d -print0 | xargs -0 grep -i "ssh api file write"• generic web:
curl -I http://<server_ip>/ssh_api_endpointInspect the response headers for any unusual configurations or exposed file paths.
disclosure
Exploit-Status
EPSS
0.07% (20% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2025-58355 is to immediately upgrade to version 0.10.0 or later. If upgrading is not immediately feasible, consider restricting access to the SSH API to trusted users only. Implement strict file permissions on the Soft Serve data directory to limit the impact of potential file writes. Monitor SSH logs for suspicious activity, particularly attempts to access or modify files outside of expected locations. After upgrading, confirm the vulnerability is resolved by attempting a file write via the SSH API with a non-privileged user account and verifying that the write is denied.
Actualice soft-serve a la versión 0.10.0 o superior. Esta versión contiene la corrección para la vulnerabilidad de escritura arbitraria de archivos. La actualización se puede realizar descargando la nueva versión desde el repositorio oficial y reemplazando la versión anterior.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-58355 is a vulnerability in Soft Serve allowing attackers to write arbitrary files via the SSH API, potentially leading to code execution. It affects versions before 0.10.0.
You are affected if you are using Soft Serve versions prior to 0.10.0. Check your installed version and upgrade immediately if vulnerable.
Upgrade to version 0.10.0 or later of Soft Serve. Restrict SSH API access and implement file access controls as temporary mitigations.
As of the last update, there is no confirmed active exploitation of CVE-2025-58355 in the wild, but public PoCs may emerge.
Refer to the official Soft Serve GitHub repository and related security announcements for the latest advisory information: https://github.com/charmbracelet/soft-serve
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.