Description
Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.4, an authenticated SSH user can force the server to make HTTP requests to internal/private IP addresses by running repo import with a crafted --lfs-endpoint URL. The initial batch request is blind (the response from a metadata endpoint won't parse as valid LFS JSON), but an attacker hosting a fake LFS server can chain this into full read access to internal services by returning download URLs that point at internal targets. This issue has been patched in version 0.11.4.
Published: 2026-03-07
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Server Side Request Forgery enabling internal network access
Action: Immediate Patch
AI Analysis

Impact

An authenticated SSH user can trigger the Soft Serve server to perform HTTP requests to arbitrary URLs by supplying a crafted LFS endpoint during repository import. The vulnerability is a Classic Server Side Request Forgery (CWE-918) which allows the attacker to cause the server to reach internal or private IP addresses, potentially leaking sensitive data or gaining additional network access. The initial request is blind due to malformed LFS responses, but can be chained by an attacker who controls the fake LFS server to ultimately retrieve content from internal services.

Affected Systems

Versions of Soft Serve from 0.6.0 up to (but not including) 0.11.4 are affected. The vulnerability applies to installations of the charmbracelet Soft Serve Git server that accept authenticated SSH sessions and execute the repo import command. Systems running v0.11.4 or later are not vulnerable.

Risk and Exploitability

The flaw carries a CVSS Base score of 9.1, reflecting a high impact to confidentiality and availability when an attacker can coerce the server into accessing private resources. The EPSS score of less than 1% indicates that, as of this analysis, exploitation is unlikely to be widespread and no public exploits are documented, and the vulnerability is not listed in CISA’s KEV catalog. However, because it requires authenticated SSH access, the threat persists in environments where such users are granted elevated privileges with the ability to invoke the import command. The overall risk remains high for organizations that allow users to import repositories without strict controls.

Generated by OpenCVE AI on April 16, 2026 at 10:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Soft Serve to version 0.11.4 or later
  • If upgrading is not immediately possible, restrict or disable the repo import command for SSH users, or block the --lfs-endpoint parameter from being supplied
  • Implement network segmentation or firewall rules to prevent the Soft Serve process from making outbound requests to internal or private IP ranges

Generated by OpenCVE AI on April 16, 2026 at 10:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3fvx-xrxq-8jvv soft-serve vulnerable to SSRF via unvalidated LFS endpoint in repo import
History

Wed, 11 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Charm
Charm soft Serve
CPEs cpe:2.3:a:charm:soft_serve:*:*:*:*:*:go:*:*
Vendors & Products Charm
Charm soft Serve

Mon, 09 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Charmbracelet
Charmbracelet soft-serve
Vendors & Products Charmbracelet
Charmbracelet soft-serve

Sat, 07 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.4, an authenticated SSH user can force the server to make HTTP requests to internal/private IP addresses by running repo import with a crafted --lfs-endpoint URL. The initial batch request is blind (the response from a metadata endpoint won't parse as valid LFS JSON), but an attacker hosting a fake LFS server can chain this into full read access to internal services by returning download URLs that point at internal targets. This issue has been patched in version 0.11.4.
Title Soft Serve: SSRF via unvalidated LFS endpoint in repo import
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L'}

Subscriptions

Charm Soft Serve
Charmbracelet Soft-serve
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T18:26:21.312Z

Reserved: 2026-03-05T21:06:44.606Z

Link: CVE-2026-30832

cve-icon Vulnrichment

Updated: 2026-03-09T17:52:28.240Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-07T16:15:55.893

Modified: 2026-03-11T20:36:30.093

Link: CVE-2026-30832

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:00:10Z

Weaknesses