GHSA-fv2r-r8mp-pg48
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fv2r-r8mp-pg48
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-fv2r-r8mp-pg48/GHSA-fv2r-r8mp-pg48.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-fv2r-r8mp-pg48
- Aliases
- Published
- 2025-11-06T23:48:12Z
- Modified
- 2025-11-07T00:27:52.489157Z
- Severity
-
- 4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- Soft Serve does not sanitize ANSI escape sequences in user input
- Details
-
Impact
In several places where the user can insert data (e.g. names), ANSI escape sequences are not being removed, which can then be used, for example, to show fake alerts.
In the same token, git messages, when printed, are also not being sanitized.
Places in which this was found:
- Repository Description (pkg/backend/repo.go - SetDescription)
- Repository Project Name (pkg/backend/repo.go - SetProjectName)
- Git Commit Author Names (pkg/ssh/cmd/commit.go:69)
- Git Commit Messages (pkg/ssh/cmd/commit.go:71)
- Access Token Names (pkg/ssh/cmd/token.go:107)
- Webhook URLs (pkg/ssh/cmd/webhooks.go:72)
Patches
v0.11.0
Workarounds
No.
References
n/a
- Database specific
{ "github_reviewed_at": "2025-11-06T23:48:12Z", "cwe_ids": [ "CWE-150" ], "github_reviewed": true, "nvd_published_at": null, "severity": "MODERATE" }- References
Affected packages
Go / github.com/charmbracelet/soft-serve
Package
- Name
- github.com/charmbracelet/soft-serve
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/charmbracelet/soft-serve