CVE-2025-64494 MEDIUM

CVE-2025-64494: Soft Serve does not sanitize ANSI escape sequences in user input

Vendor Charmbracelet
Product soft-serve
Weakness CWE-150
Published November 8, 2025
Last update November 10, 2025

CVSS base score

4.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Soft Serve is a self-hostable Git server for the command line. In versions prior to 0.10.0, there are several places where the user can insert data (e.g. names) and ANSI escape sequences are not being removed, which can then be used, for example, to show fake alerts. In the same token, git messages, when printed, are also not being sanitized. This issue is fixed in version 0.10.0.

Key dates

02Disclosure timeline

November 8, 2025 CVE published
November 10, 2025 Record updated