CVE-2025-64494
📋 TL;DR
Soft Serve Git server versions before 0.10.0 fail to sanitize ANSI escape sequences in user-controlled input fields like names and git messages. This allows attackers to inject terminal control sequences that can manipulate terminal output, potentially creating fake alerts or misleading information. Anyone running Soft Serve versions prior to 0.10.0 is affected.
💻 Affected Systems
- Soft Serve
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker could craft malicious ANSI escape sequences to create convincing fake security alerts, manipulate terminal output to hide malicious activity, or potentially execute arbitrary commands if combined with other vulnerabilities in terminal emulators.
Likely Case
Attackers inject ANSI escape sequences to create fake terminal alerts, manipulate displayed information, or disrupt terminal output for users viewing git logs or user names.
If Mitigated
With proper input sanitization, only plain text is displayed without terminal control sequences, preventing any manipulation of terminal output.
🎯 Exploit Status
Exploitation requires ability to create repositories, commit messages, or user accounts with malicious ANSI sequences. No authentication bypass is involved.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.10.0
Vendor Advisory: https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-fv2r-r8mp-pg48
Restart Required: Yes
Instructions:
1. Stop Soft Serve service. 2. Update to version 0.10.0 or later using your package manager or by downloading from GitHub. 3. Restart Soft Serve service.
🔧 Temporary Workarounds
Input validation filter
allImplement custom input validation to strip ANSI escape sequences from user inputs before processing.
Implement regex filter: s/\x1b\[[0-9;]*[a-zA-Z]//g on all user inputs
🧯 If You Can't Patch
- Restrict user permissions to prevent untrusted users from creating repositories or committing messages.
- Monitor logs for unusual ANSI escape sequences in user inputs and git operations.
🔍 How to Verify
Check if Vulnerable:
Check Soft Serve version: if version is less than 0.10.0, system is vulnerable.Check Version:
soft-serve --versionVerify Fix Applied:
After updating to 0.10.0+, test by attempting to input ANSI escape sequences in user fields or commit messages - they should be sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual terminal control sequences in git commit messages
- ANSI escape codes in user account names or repository names
Network Indicators:
- Git operations containing unusual escape sequences in payloads
SIEM Query:
Search for patterns like \x1b\[ or ESC[ in git transaction logs and user management logs.