Platform
go
Component
github.com/charmbracelet/soft-serve
Fixed in
0.10.1
0.10.0
CVE-2025-58355 describes an Arbitrary File Access vulnerability discovered in Soft Serve, a Go-based SSH server implementation. This flaw allows an attacker to write arbitrary files through the SSH API, potentially leading to unauthorized code execution and system compromise. The vulnerability affects versions of Soft Serve prior to 0.10.0, and a patch has been released to address the issue.
The Arbitrary File Access vulnerability in Soft Serve poses a significant risk. An attacker exploiting this flaw can write malicious files to the server's filesystem, potentially overwriting critical configuration files or injecting malicious code. Successful exploitation could lead to remote code execution (RCE), allowing the attacker to gain complete control over the affected system. The impact is amplified if the server hosts sensitive data or is part of a critical infrastructure. The ability to write arbitrary files bypasses standard security controls, making it a particularly dangerous vulnerability.
CVE-2025-58355 was publicly disclosed on 2025-09-08. There is currently no indication of active exploitation in the wild. The vulnerability is not listed on the CISA KEV catalog as of this writing. Public proof-of-concept (PoC) code may emerge, increasing the risk of exploitation.
Exploit Status
EPSS
0.07% (20% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-58355 is to upgrade to version 0.10.0 or later of Soft Serve. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Restrict access to the SSH API to trusted users and networks. Implement strict file access controls on the server to limit the attacker's ability to write files to sensitive locations. Monitor SSH logs for suspicious activity, particularly attempts to access or modify files outside of expected directories. After upgrading, confirm the fix by attempting to trigger the file writing vulnerability and verifying that it is no longer exploitable.
Actualice soft-serve a la versión 0.10.0 o superior. Esta versión contiene la corrección para la vulnerabilidad de escritura arbitraria de archivos. La actualización se puede realizar descargando la nueva versión desde el repositorio oficial y reemplazando la versión anterior.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-58355 is a vulnerability in Soft Serve allowing attackers to write arbitrary files via the SSH API, potentially leading to code execution. It affects versions before 0.10.0.
You are affected if you are using Soft Serve versions prior to 0.10.0. Check your installed version and upgrade immediately if vulnerable.
Upgrade to version 0.10.0 or later of Soft Serve. Restrict SSH API access and implement file access controls as temporary mitigations.
As of the last update, there is no confirmed active exploitation of CVE-2025-58355 in the wild, but public PoCs may emerge.
Refer to the official Soft Serve GitHub repository and related security announcements for the latest advisory information: https://github.com/charmbracelet/soft-serve
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.