Vulnerability Description
Soft Serve is a self-hostable Git server for the command line. In versions prior to 0.10.0, there are several places where the user can insert data (e.g. names) and ANSI escape sequences are not being removed, which can then be used, for example, to show fake alerts. In the same token, git messages, when printed, are also not being sanitized. This issue is fixed in version 0.10.0.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://github.com/charmbracelet/soft-serve/commit/d9639320b8d0ccd76fe6836a042c0
- https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-fv2r-r8mp-p
FAQ
What is CVE-2025-64494?
CVE-2025-64494 is a vulnerability with a CVSS score of 4.6 (MEDIUM). Soft Serve is a self-hostable Git server for the command line. In versions prior to 0.10.0, there are several places where the user can insert data (e.g. names) and ANSI escape sequences are not being...
How severe is CVE-2025-64494?
CVE-2025-64494 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-64494?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.