CVE-2025-22130: 
Linux openSUSE vulnerability analysis and mitigation

Soft Serve, a self-hostable Git server for the command line, was found to contain a path traversal vulnerability (CVE-2025-22130) affecting versions prior to 0.8.2. The vulnerability was discovered and disclosed on January 8, 2025. The issue affects the repository management functionality of the software, specifically impacting multi-user Soft Serve installations that enable repository creation for users (GitHub Advisory).

The vulnerability is a path traversal attack that allows existing non-admin users to access and take over other users' repositories. The issue stems from improper path sanitization in the repository management code. The vulnerability was addressed by implementing proper path cleaning using absolute paths along with path.Clean to ensure paths are sanitized before use (GitHub Commit).

The vulnerability enables malicious users to modify, delete, and arbitrarily manipulate repositories as if they were admin users without explicitly being granted permissions. This effectively allows unauthorized access and control over other users' repositories in multi-user installations (GitHub Advisory).

The vulnerability has been patched in version 0.8.2 of Soft Serve. Users are strongly advised to upgrade to this version to prevent these attacks. For those unable to upgrade immediately, it's noted that single-user setups are not affected by this vulnerability. However, for multi-user installations, upgrading is necessary to prevent unauthorized access (GitHub Release).