What is CVE-2025-64494?

CVE-2025-64494 is a medium-severity vulnerability in Charmbracelet Soft-serve, classified under CWE-150. CVSS score: 4.6/10. Published 2025-11-08.

How severe is CVE-2025-64494?

Medium severity. CVSS v3 base score is 4.6 out of 10.

Vulnerability in Charmbracelet Soft-serve

CVE-2025-64494

Soft Serve is a self-hostable Git server for the command line. In versions prior to 0.10.0, there are several places where the user can insert data (e.g. names) and ANSI escape sequences are not being removed, which can then be used, for e…

EPSS: 0.000 (10.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.6 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N.

Affected products

Charmbracelet Soft-serve — versions <= 0.10.0

Weakness classification (CWE)

CWE-150

References

https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-fv2r-r8mp-pg48 (x_refsource_CONFIRM)
https://github.com/charmbracelet/soft-serve/commit/d9639320b8d0ccd76fe6836a042c042b0ebde549 (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-64494?: CVE-2025-64494 is a medium-severity vulnerability in Charmbracelet Soft-serve, classified under CWE-150. CVSS score: 4.6/10. Published 2025-11-08.
How severe is CVE-2025-64494?: Medium severity. CVSS v3 base score is 4.6 out of 10.