CVE-2025-64494: Soft Serve does not sanitize ANSI escape sequences in user input

November 6, 2025 (updated November 17, 2025)

In several places where the user can insert data (e.g. names), ANSI escape sequences are not being removed, which can then be used, for example, to show fake alerts.

In the same token, git messages, when printed, are also not being sanitized.

Places in which this was found:

Repository Description (pkg/backend/repo.go - SetDescription)
Repository Project Name (pkg/backend/repo.go - SetProjectName)
Git Commit Author Names (pkg/ssh/cmd/commit.go:69)
Git Commit Messages (pkg/ssh/cmd/commit.go:71)
Access Token Names (pkg/ssh/cmd/token.go:107)
Webhook URLs (pkg/ssh/cmd/webhooks.go:72)

References

github.com/advisories/GHSA-fv2r-r8mp-pg48
github.com/charmbracelet/soft-serve
github.com/charmbracelet/soft-serve/commit/d9639320b8d0ccd76fe6836a042c042b0ebde549
github.com/charmbracelet/soft-serve/security/advisories/GHSA-fv2r-r8mp-pg48
nvd.nist.gov/vuln/detail/CVE-2025-64494

Code Behaviors & Features

Detect and mitigate CVE-2025-64494 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →