CVE-2025-61984

Name of the Vulnerable Software and Affected Versions OpenSSH versions prior to 10.1

Description An issue exists in OpenSSH where control characters within usernames, originating from untrusted sources like the command line or configuration file expansion, can lead to code execution when a

ProxyCommand

is used. Specifically, the

ProxyCommand

is executed through 'exec %s', and the presence of control characters allows for command injection. This can be exploited by crafting a username with a newline character followed by a malicious command, which is then executed by the shell. This issue has been observed in real-world attacks targeting Git submodules. The vulnerability allows for remote code execution. The

ProxyCommand

is considered a trusted component, making this a significant risk.

Recommendations Update to OpenSSH version 10.1 or later. Disable or limit the use of the

ProxyCommand

feature. Require the use of jump hosts or bastions. Enforce strict

AllowUsers

or

Match

blocks in the SSH configuration. Force non-interactive shells for SSH helper processes. Rotate SSH keys. Tighten ingress access control lists. Treat exposed hosts as compromised until proven otherwise.