CVE-2025-64494 is a vulnerability classified under CWE-150 (Improper Neutralization of Escape, Meta, or Control Sequences) affecting charmbracelet's soft-serve, a self-hostable Git server designed for command-line use. In versions prior to 0.10.0, soft-serve fails to sanitize ANSI escape sequences embedded in user-controllable fields such as user names and git commit messages. These sequences can manipulate terminal output by injecting control characters that alter text color, cursor position, or display fake alerts, potentially misleading users or administrators. The vulnerability arises because the application directly outputs these unsanitized strings to terminal interfaces without filtering or escaping. Exploitation requires an attacker to have at least low-level privileges (PR:L) and network access (AV:N), and user interaction (UI:R) is necessary to view the malicious output. The scope is unchanged (S:U), meaning the impact is limited to the vulnerable component. The CVSS 3.1 base score is 4.6 (medium), reflecting limited confidentiality and integrity impact without affecting availability. Although no known exploits are currently reported in the wild, the flaw could be leveraged for social engineering, phishing within terminal sessions, or misleading users into executing harmful commands. The issue is resolved in soft-serve version 0.10.0 by properly sanitizing or removing ANSI escape sequences from user inputs and git messages before rendering.

For European organizations, this vulnerability poses a risk primarily to developers, DevOps teams, and administrators using soft-serve for internal Git hosting. The injection of ANSI escape sequences can lead to deceptive terminal outputs, potentially tricking users into executing malicious commands or disclosing sensitive information. While it does not directly compromise system availability or allow remote code execution, the manipulation of terminal displays can undermine trust in repository data and lead to indirect security breaches. Organizations relying on soft-serve for critical code repositories or CI/CD pipelines could face integrity risks if attackers exploit this flaw to inject misleading information. The impact is more pronounced in environments where terminal-based Git interactions are frequent and where users may not be trained to recognize manipulated outputs. Given the medium severity and the requirement for user interaction, the threat is moderate but should not be underestimated, especially in sectors with high security requirements such as finance, government, and critical infrastructure within Europe.

European organizations should immediately upgrade all instances of soft-serve to version 0.10.0 or later, where the vulnerability is fixed. Until upgrades are completed, implement input validation and sanitization on all user-supplied data fields, specifically stripping or escaping ANSI escape sequences before rendering outputs in terminal interfaces. Educate developers and users to be cautious of unexpected terminal alerts or messages, especially those containing unusual formatting or control characters. Employ terminal emulators or shells that can restrict or disable the interpretation of ANSI escape sequences where feasible. Monitor Git server logs for suspicious inputs containing escape sequences and consider deploying intrusion detection rules to flag anomalous repository activity. Additionally, restrict access to soft-serve instances to trusted networks and authenticated users to reduce exposure. Regularly audit and review repository metadata and commit messages for suspicious content. Integrate security scanning tools that detect control character injection in code repositories as part of the CI/CD pipeline.