Home > Vulnerability Database > CVE-2025-64494

Mend.io Vulnerability Database

CVE-2025-64494

Good to know:

Date: November 7, 2025

Soft Serve is a self-hostable Git server for the command line. In versions prior to 0.10.0, there are several places where the user can insert data (e.g. names) and ANSI escape sequences are not being removed, which can then be used, for example, to show fake alerts. In the same token, git messages, when printed, are also not being sanitized. This issue is fixed in version 0.10.0.

Severity Score

4.6

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-64494

Url: https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-fv2r-r8mp-pg48

Url: https://github.com/charmbracelet/soft-serve

Url: https://github.com/charmbracelet/soft-serve/commit/d9639320b8d0ccd76fe6836a042c042b0ebde549

Url: https://www.mend.io/vulnerability-database/CVE-2025-64494

Severity Score

4.6

Weakness Type (CWE)

Improper Neutralization of Escape, Meta, or Control Sequences

CWE-150

Top Fix

Upgrade Version

Upgrade to version github.com/charmbracelet/soft-serve - v0.11.0;https://github.com/charmbracelet/soft-serve.git - v0.11.0

Learn More

CVSS v3.1

Base Score:	4.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-64494

Good to know:

Date: November 7, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?