Carlos Alexandro Becker

5 exploits Active since May 2023
CVE-2023-32698 WRITEUP HIGH WRITEUP
Goreleaser Nfpm < 2.29.0 - Incorrect Default Permissions
nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged the files (without extra config for enforcing it’s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for creating packages without checking/setting file permissions before packaging could result in bad permissions for files/folders.
CVSS 7.1
CVE-2024-23840 WRITEUP MEDIUM WRITEUP
Goreleaser < 1.24.0 - Log Information Exposure
GoReleaser builds Go binaries for several platforms, creates a GitHub release and then pushes a Homebrew formula to a tap repository. `goreleaser release --debug` log shows secret values used in the in the custom publisher. This vulnerability is fixed in 1.24.0.
CVSS 5.5
CVE-2024-41956 WRITEUP HIGH WRITEUP
Charmbracelet Soft-serve < 0.7.5 - OS Command Injection
Soft Serve is a self-hostable Git server for the command line. Prior to 0.7.5, it is possible for a user who can commit files to a repository hosted by Soft Serve to execute arbitrary code via environment manipulation and Git. The issue is that Soft Serve passes all environment variables given by the client to git subprocesses. This includes environment variables that control program execution, such as LD_PRELOAD. This vulnerability is fixed in 0.7.5.
CVSS 8.1
CVE-2025-64494 WRITEUP MEDIUM WRITEUP
Soft Serve <0.10.0 - Info Disclosure
Soft Serve is a self-hostable Git server for the command line. In versions prior to 0.10.0, there are several places where the user can insert data (e.g. names) and ANSI escape sequences are not being removed, which can then be used, for example, to show fake alerts. In the same token, git messages, when printed, are also not being sanitized. This issue is fixed in version 0.10.0.
CVSS 4.6
CVE-2025-64522 WRITEUP CRITICAL WRITEUP
Charm Soft Serve < 0.11.1 - SSRF
Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints. Version 0.11.1 fixes the vulnerability.
CVSS 9.1