Headline
GHSA-fv2r-r8mp-pg48: Soft Serve does not sanitize ANSI escape sequences in user input
Impact
In several places where the user can insert data (e.g. names), ANSI escape sequences are not being removed, which can then be used, for example, to show fake alerts.
In the same token, git messages, when printed, are also not being sanitized.
Places in which this was found:
- Repository Description (pkg/backend/repo.go - SetDescription)
- Repository Project Name (pkg/backend/repo.go - SetProjectName)
- Git Commit Author Names (pkg/ssh/cmd/commit.go:69)
- Git Commit Messages (pkg/ssh/cmd/commit.go:71)
- Access Token Names (pkg/ssh/cmd/token.go:107)
- Webhook URLs (pkg/ssh/cmd/webhooks.go:72)
Patches
v0.11.0
Workarounds
No.
References
n/a
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-64494
Soft Serve does not sanitize ANSI escape sequences in user input
Moderate severity GitHub Reviewed Published Nov 6, 2025 in charmbracelet/soft-serve • Updated Nov 6, 2025
Package
gomod github.com/charmbracelet/soft-serve (Go)
Affected versions
<= 0.10.0
Impact
In several places where the user can insert data (e.g. names), ANSI escape sequences are not being removed, which can then be used, for example, to show fake alerts.
In the same token, git messages, when printed, are also not being sanitized.
Places in which this was found:
- Repository Description (pkg/backend/repo.go - SetDescription)
- Repository Project Name (pkg/backend/repo.go - SetProjectName)
- Git Commit Author Names (pkg/ssh/cmd/commit.go:69)
- Git Commit Messages (pkg/ssh/cmd/commit.go:71)
- Access Token Names (pkg/ssh/cmd/token.go:107)
- Webhook URLs (pkg/ssh/cmd/webhooks.go:72)
Patches
v0.11.0
Workarounds
No.
References
n/a
References
- GHSA-fv2r-r8mp-pg48
- charmbracelet/soft-serve@d963932
Published to the GitHub Advisory Database
Nov 6, 2025