PT-2025-45716 · Go · Github.Com/Charmbracelet/Soft-Serve

Published

2025-11-06

·

Updated

2025-11-06

CVSS v3.1

4.6

Medium

VectorAV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Impact

In several places where the user can insert data (e.g. names), ANSI escape sequences are not being removed, which can then be used, for example, to show fake alerts.
In the same token, git messages, when printed, are also not being sanitized.
Places in which this was found:
  1. Repository Description (pkg/backend/repo.go - SetDescription)
  2. Repository Project Name (pkg/backend/repo.go - SetProjectName)
  3. Git Commit Author Names (pkg/ssh/cmd/commit.go:69)
  4. Git Commit Messages (pkg/ssh/cmd/commit.go:71)
  5. Access Token Names (pkg/ssh/cmd/token.go:107)
  6. Webhook URLs (pkg/ssh/cmd/webhooks.go:72)

Patches

v0.11.0

Workarounds

No.

References

n/a

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-150

Related Identifiers

GHSA-FV2R-R8MP-PG48

Affected Products

Github.Com/Charmbracelet/Soft-Serve