Plateforme
go
Composant
github.com/charmbracelet/soft-serve
Corrigé dans
0.10.1
0.10.0
CVE-2025-58355 describes an Arbitrary File Access vulnerability discovered in Soft Serve, a Go-based SSH server implementation. This flaw allows an attacker to write arbitrary files through the SSH API, potentially leading to unauthorized code execution and system compromise. The vulnerability affects versions of Soft Serve prior to 0.10.0, and a patch has been released to address the issue.
The Arbitrary File Access vulnerability in Soft Serve poses a significant risk. An attacker exploiting this flaw can write malicious files to the server's filesystem, potentially overwriting critical configuration files or injecting malicious code. Successful exploitation could lead to remote code execution (RCE), allowing the attacker to gain complete control over the affected system. The impact is amplified if the server hosts sensitive data or is part of a critical infrastructure. The ability to write arbitrary files bypasses standard security controls, making it a particularly dangerous vulnerability.
CVE-2025-58355 was publicly disclosed on 2025-09-08. There is currently no indication of active exploitation in the wild. The vulnerability is not listed on the CISA KEV catalog as of this writing. Public proof-of-concept (PoC) code may emerge, increasing the risk of exploitation.
Organizations using Soft Serve as an SSH server, particularly those with exposed SSH APIs or limited access controls, are at risk. Development teams relying on Soft Serve within their Go applications should also prioritize patching. Shared hosting environments utilizing Soft Serve are particularly vulnerable due to the potential for cross-tenant exploitation.
• go / server:
find / -name "soft_serve" -type d -print0 | xargs -0 grep -i "ssh api file write"• generic web:
curl -I http://<server_ip>/ssh_api_endpointInspect the response headers for any unusual configurations or exposed file paths.
disclosure
Statut de l'Exploit
EPSS
0.07% (percentile 20%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-58355 is to upgrade to version 0.10.0 or later of Soft Serve. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Restrict access to the SSH API to trusted users and networks. Implement strict file access controls on the server to limit the attacker's ability to write files to sensitive locations. Monitor SSH logs for suspicious activity, particularly attempts to access or modify files outside of expected directories. After upgrading, confirm the fix by attempting to trigger the file writing vulnerability and verifying that it is no longer exploitable.
Actualice soft-serve a la versión 0.10.0 o superior. Esta versión contiene la corrección para la vulnerabilidad de escritura arbitraria de archivos. La actualización se puede realizar descargando la nueva versión desde el repositorio oficial y reemplazando la versión anterior.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-58355 is a vulnerability in Soft Serve allowing attackers to write arbitrary files via the SSH API, potentially leading to code execution. It affects versions before 0.10.0.
You are affected if you are using Soft Serve versions prior to 0.10.0. Check your installed version and upgrade immediately if vulnerable.
Upgrade to version 0.10.0 or later of Soft Serve. Restrict SSH API access and implement file access controls as temporary mitigations.
As of the last update, there is no confirmed active exploitation of CVE-2025-58355 in the wild, but public PoCs may emerge.
Refer to the official Soft Serve GitHub repository and related security announcements for the latest advisory information: https://github.com/charmbracelet/soft-serve
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier go.mod et nous te dirons instantanément si tu es affecté.