CVE-2025-64494

MEDIUM

Soft Serve <0.10.0 - Info Disclosure

Title source: llm

Description

Soft Serve is a self-hostable Git server for the command line. In versions prior to 0.10.0, there are several places where the user can insert data (e.g. names) and ANSI escape sequences are not being removed, which can then be used, for example, to show fake alerts. In the same token, git messages, when printed, are also not being sanitized. This issue is fixed in version 0.10.0.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-fv2r-r8mp-pg48

Patch x_refsource_misc

https://github.com/charmbracelet/soft-serve/commit/d9639320b8d0ccd76fe6836a042c042b0ebde549

View Patch ZIP pw:eip

Scores

CVSS v3 4.6

EPSS 0.0003

EPSS Percentile 9.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-150

Status published

Products (2)

charmbracelet/soft-serve 0 - 0.11.0Go

charmbracelet/soft-serve <= 0.10.0

Published Nov 08, 2025

Tracked Since Feb 18, 2026