Scan free
HIGHCVE-2025-58355CVSS 7.7

CVE-2025-58355: Arbitrary File Access in Soft Serve

Platform

go

Component

github.com/charmbracelet/soft-serve

Fixed in

0.10.1

0.10.0

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2025-58355 describes an Arbitrary File Access vulnerability discovered in Soft Serve, a Go-based SSH server implementation. This flaw allows an attacker to write arbitrary files through the SSH API, potentially leading to unauthorized code execution and system compromise. The vulnerability affects versions of Soft Serve prior to 0.10.0, and a patch has been released to address the issue.

Go

Detect this CVE in your project

Upload your go.mod file and we'll tell you instantly if you're affected.

Upload go.mod

Impact and Attack Scenarios

The Arbitrary File Access vulnerability in Soft Serve poses a significant risk. An attacker exploiting this flaw can write malicious files to the server's filesystem, potentially overwriting critical configuration files or injecting malicious code. Successful exploitation could lead to remote code execution (RCE), allowing the attacker to gain complete control over the affected system. The impact is amplified if the server hosts sensitive data or is part of a critical infrastructure. The ability to write arbitrary files bypasses standard security controls, making it a particularly dangerous vulnerability.

Exploitation Context

CVE-2025-58355 was publicly disclosed on 2025-09-08. There is currently no indication of active exploitation in the wild. The vulnerability is not listed on the CISA KEV catalog as of this writing. Public proof-of-concept (PoC) code may emerge, increasing the risk of exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.07% (20% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N7.7HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentgithub.com/charmbracelet/soft-serve
Vendorosv
Affected rangeFixed in
< 0.10.0 – < 0.10.00.10.1
0.10.0

Weakness Classification (CWE)

CWE-22

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-58355 is to upgrade to version 0.10.0 or later of Soft Serve. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Restrict access to the SSH API to trusted users and networks. Implement strict file access controls on the server to limit the attacker's ability to write files to sensitive locations. Monitor SSH logs for suspicious activity, particularly attempts to access or modify files outside of expected directories. After upgrading, confirm the fix by attempting to trigger the file writing vulnerability and verifying that it is no longer exploitable.

How to fix

Actualice soft-serve a la versión 0.10.0 o superior. Esta versión contiene la corrección para la vulnerabilidad de escritura arbitraria de archivos. La actualización se puede realizar descargando la nueva versión desde el repositorio oficial y reemplazando la versión anterior.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-58355 — Arbitrary File Access in Soft Serve?

CVE-2025-58355 is a vulnerability in Soft Serve allowing attackers to write arbitrary files via the SSH API, potentially leading to code execution. It affects versions before 0.10.0.

Am I affected by CVE-2025-58355 in Soft Serve?

You are affected if you are using Soft Serve versions prior to 0.10.0. Check your installed version and upgrade immediately if vulnerable.

How do I fix CVE-2025-58355 in Soft Serve?

Upgrade to version 0.10.0 or later of Soft Serve. Restrict SSH API access and implement file access controls as temporary mitigations.

Is CVE-2025-58355 being actively exploited?

As of the last update, there is no confirmed active exploitation of CVE-2025-58355 in the wild, but public PoCs may emerge.

Where can I find the official Soft Serve advisory for CVE-2025-58355?

Refer to the official Soft Serve GitHub repository and related security announcements for the latest advisory information: https://github.com/charmbracelet/soft-serve

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs