Plattform
go
Komponente
github.com/charmbracelet/soft-serve
Behoben in
0.6.1
0.11.4
CVE-2026-30832 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the soft-serve Go library, specifically within its repository import functionality. This flaw allows an attacker to potentially access internal resources by manipulating the Large File Storage (LFS) endpoint. The vulnerability affects versions prior to 0.11.4, and a patch has been released to address the issue.
The SSRF vulnerability in soft-serve poses a significant risk because it enables attackers to initiate requests from the server's perspective, bypassing access controls. An attacker could exploit this to scan internal networks, access sensitive data stored on internal services (databases, APIs), or even potentially interact with cloud metadata services to obtain credentials. The impact is amplified if the soft-serve library is integrated into a larger application that handles sensitive data or interacts with critical infrastructure. Successful exploitation could lead to data breaches, unauthorized access, and disruption of services.
This vulnerability was publicly disclosed on 2026-03-10. There is currently no indication of active exploitation campaigns targeting this specific vulnerability. The availability of a public proof-of-concept is unknown at this time. The vulnerability is not currently listed on the CISA KEV catalog.
Applications built using the soft-serve Go library for repository management, particularly those handling external repository imports, are at risk. This includes CI/CD pipelines, build systems, and any application that leverages soft-serve to import and process Git repositories.
• go / server:
find /path/to/your/go/project -name "soft-serve.go" -print0 | xargs grep -l "LFS endpoint"• generic web:
curl -I <your_application_url>/repo_import | grep -i "lfs"disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-30832 is to immediately upgrade to version 0.11.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing strict input validation on the LFS endpoint to prevent malicious URLs. Additionally, network segmentation can limit the potential blast radius of a successful SSRF attack. Monitor network traffic for unusual outbound requests originating from the soft-serve process. After upgrading, confirm the fix by attempting a repo import with a known malicious LFS URL and verifying that the request is blocked.
Aktualisieren Sie Soft Serve auf Version 0.11.4 oder höher. Diese Version behebt die SSRF-Schwachstelle, indem der LFS-Endpunkt während der Repo-Import korrekt validiert wird.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-30832 is a critical SSRF vulnerability in the soft-serve Go library, allowing attackers to potentially access internal resources through manipulated repository imports.
If you are using soft-serve version 0.11.3 or earlier, you are vulnerable. Check your project dependencies to determine if you are using the library.
Upgrade to version 0.11.4 or later of the soft-serve library. If immediate upgrade is not possible, implement input validation on the LFS endpoint.
As of now, there are no known public exploits or active campaigns targeting this vulnerability, but the SSRF nature warrants immediate attention.
Refer to the charmbracelet project's repository and release notes for the official advisory and details about the fix: [https://github.com/charmbracelet/soft-serve](https://github.com/charmbracelet/soft-serve)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.