DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-PCHF-49FH-W34R: Soft Serve, Hard Fail: The Context Pollution Authentication Bypass

#security #cve #cybersecurity #ghsa

Soft Serve, Hard Fail: The Context Pollution Authentication Bypass

Vulnerability ID: GHSA-PCHF-49FH-W34R
CVSS Score: 10.0
Published: 2026-01-21

A critical state management logic error in Soft Serve's SSH handling allows unauthenticated attackers to impersonate administrators simply by knowing the administrator's public key. By exploiting the SSH protocol's 'public key offering' phase, an attacker can pollute the session context with a privileged identity before authenticating with their own low-privileged key.

TL;DR

Soft Serve versions prior to v0.11.3 contain a CVSS 10.0 critical vulnerability. The application eagerly resolves and stores user identities during the SSH public key 'query' phase (before a cryptographic signature is verified). By offering an admin's public key and then switching to their own valid key, an attacker can trick the server into treating the session as an administrator session. Update to v0.11.3 immediately.

⚠️ Exploit Status: WEAPONIZED

Technical Details

  • Attack Vector: Network (SSH)
  • CVSS: 10.0 (Critical)
  • CWE: CWE-287 & CWE-840
  • Prerequisites: Target Public Key (Admin)
  • Exploit Status: Functional PoC Available
  • Root Cause: Session State Pollution

Affected Systems

  • Soft Serve Git Server < v0.11.3
  • Soft Serve: < 0.11.3 (Fixed in: 0.11.3)

Code Analysis

Commit: 8539f9a

Fix: authenticate with the actual signed key

Diff not provided in context, refer to GitHub
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal PoC: Regression test included in the patch commit demonstrates the multi-key offering attack.

Mitigation Strategies

  • Upgrade to Soft Serve v0.11.3 or later immediately.
  • Restrict network access to the Git server port (23231) to trusted IPs until patched.
  • Audit logs for multi-key authentication attempts from single IP addresses.

Remediation Steps:

  1. Stop the soft-serve service.
  2. Download the v0.11.3 binary or pull the latest docker image (charmcli/soft-serve:v0.11.3).
  3. Replace the binary.
  4. Restart the service.

References

Read the full report for GHSA-PCHF-49FH-W34R on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)