Nixpkgs security tracker

Untriaged

Permalink CVE-2026-33353

created 3 weeks, 4 days ago

Soft Serve: Authenticated repo import can clone server-local private repositories

Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.6, an authorization flaw in repo import allows any authenticated SSH user to clone a server-local Git repository, including another user's private repo, into a new repository they control. This issue has been patched in version 0.11.6.

References

https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-xgxp-f695-6vrp x_refsource_CONFIRM
https://github.com/charmbracelet/soft-serve/commit/c147421caf234bcfc1570c79d728ecbbe5813e55 x_refsource_MISC
https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.6 x_refsource_MISC

Affected products

soft-serve

==>= 0.6.0, < 0.11.6

Matching in nixpkgs

pkgs.soft-serve

Tasty, self-hosted Git server for the command line

nixos-unstable 0.11.5
- nixpkgs-unstable 0.11.5
- nixos-unstable-small 0.11.5
nixos-25.11 0.11.5
- nixos-25.11-small 0.11.5
- nixpkgs-25.11-darwin 0.11.5

Package maintainers

@penguwin Nicolas Martin <penguwin@penguwin.eu>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.soft-serve

Package maintainers