CVE-2025-64494 is a vulnerability classified under CWE-150 (Improper Neutralization of Escape, Meta, or Control Sequences) affecting charmbracelet's soft-serve, a self-hosted Git server designed for command-line use. In versions prior to 0.10.0, the software fails to sanitize ANSI escape sequences in user-controllable inputs such as usernames and git commit messages. ANSI escape sequences are special character sequences used to control terminal behavior, including text color, cursor movement, and screen clearing. An attacker can exploit this by injecting malicious escape sequences that manipulate terminal output, for example, to display fake alerts or misleading information to users viewing logs or command outputs. This can lead to social engineering attacks, confusion, or obfuscation of malicious activity. The vulnerability requires the attacker to have at least low privileges (PR:L) and user interaction (UI:R), such as viewing affected output in a terminal. The CVSS v3.1 score is 4.6 (medium), reflecting limited confidentiality and integrity impact but no availability impact. The issue is resolved in soft-serve version 0.10.0 by properly sanitizing or removing ANSI escape sequences from user inputs and git messages before display. No known exploits are reported in the wild as of publication. The vulnerability primarily affects environments where soft-serve is used in command-line interfaces, especially in development or CI/CD pipelines where git messages and user data are displayed.

For European organizations, this vulnerability can undermine trust in the integrity of displayed Git server information, potentially enabling social engineering or phishing attacks via fake alerts or misleading terminal output. While it does not directly compromise system availability or allow remote code execution, the manipulation of terminal output can cause confusion, mislead developers or administrators, and obscure malicious activities. Organizations relying on soft-serve for internal or external Git hosting may face risks of reduced operational confidence and potential information disclosure if attackers exploit this to display deceptive messages. The impact is more pronounced in sectors with high reliance on secure software development practices, such as finance, critical infrastructure, and government agencies. Additionally, organizations with distributed teams using command-line Git clients are more exposed. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits targeting this vulnerability.

European organizations should immediately upgrade all instances of charmbracelet soft-serve to version 0.10.0 or later, where the vulnerability is fixed. Until upgrades are possible, implement input validation and sanitization to strip or neutralize ANSI escape sequences from user-supplied data and git commit messages before rendering in terminals. Employ terminal emulators or logging tools that can detect and block suspicious escape sequences. Educate developers and administrators to recognize suspicious terminal outputs and verify alerts through secondary channels. Restrict write access to trusted users to minimize injection of malicious data. Incorporate monitoring and alerting for unusual terminal behavior or unexpected messages in Git server logs. Finally, review and harden CI/CD pipelines and developer environments to reduce exposure to manipulated outputs.