Soft Serve Git Server Authorization Flaw in Repository Import Allows Unauthorized Access to Private Repositories

An authorization vulnerability has been identified in Soft Serve, a self-hostable Git server, affecting versions 0.6.0 prior to 0.11.6. The flaw allows any authenticated SSH user to clone a server-local Git repository, including private repositories of other users, into a new repository under their control. This issue arises because the repository import feature only checks authorization for the destination repository name, not the source remote, enabling unauthorized access to private repository contents.

Impact

Exploitation of this vulnerability leads to unauthorized access and cloning of private Git repositories, allowing the attacker to read confidential files and secrets stored within those repositories. This could also result in supply-chain risks if the stolen code includes sensitive information or release materials.

Reproduction

To reproduce this vulnerability, start by creating a private repository on a Soft Serve instance. Then, as a low-privilege authenticated user, import the server-local path of the private repository into a new repository. After the import, clone the newly created repository to access the confidential contents of the original private repository.

Remediation

Users can update to Soft Serve version 0.11.6 or later, where this vulnerability has been patched.