PT-2025-45716 · Go · Github.Com/Charmbracelet/Soft-Serve

Publicado

2025-11-06

·

Atualizado

2025-11-06

CVSS v3.1

4.6

Média

VetorAV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Impact

In several places where the user can insert data (e.g. names), ANSI escape sequences are not being removed, which can then be used, for example, to show fake alerts.
In the same token, git messages, when printed, are also not being sanitized.
Places in which this was found:
  1. Repository Description (pkg/backend/repo.go - SetDescription)
  2. Repository Project Name (pkg/backend/repo.go - SetProjectName)
  3. Git Commit Author Names (pkg/ssh/cmd/commit.go:69)
  4. Git Commit Messages (pkg/ssh/cmd/commit.go:71)
  5. Access Token Names (pkg/ssh/cmd/token.go:107)
  6. Webhook URLs (pkg/ssh/cmd/webhooks.go:72)

Patches

v0.11.0

Workarounds

No.

References

n/a

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-150

Identificadores relacionados

GHSA-FV2R-R8MP-PG48

Produtos afetados

Github.Com/Charmbracelet/Soft-Serve