CVE-2025-61984

Name of the Vulnerable Software and Affected Versions OpenSSH versions prior to 10.1

Description OpenSSH, prior to version 10.1, contains a flaw related to the handling of usernames with control characters when used with the

ProxyCommand

feature. This can lead to remote code execution. The issue arises because OpenSSH does not properly sanitize usernames originating from untrusted sources, such as the command line or through expansion of configuration files. Specifically, the vulnerability allows an attacker to inject commands into the

ProxyCommand

execution flow by crafting a username containing control characters like newlines. When a shell processes the

ProxyCommand

, the injected commands can be executed, potentially leading to a full system compromise. The vulnerability is particularly dangerous when

ProxyCommand

is used in environments like CI/CD pipelines, bastion hosts, or with Git submodules. Exploitation can result in credential theft and complete control of the client host. The

ProxyCommand

feature executes commands using 'exec %s', and the vulnerability stems from the shell's handling of syntax errors caused by the injected control characters.

Recommendations Upgrade OpenSSH to version 10.1 or later. Disable or limit the use of the

ProxyCommand

feature if an immediate upgrade is not possible. Require jump-hosts or bastions to restrict access and minimize the attack surface. Enforce strict

AllowUsers

and

Match

blocks in the SSH configuration to limit authorized users and connections. Force non-interactive shells for SSH helper processes to prevent command injection. Review SSH logs (auth.log) for unusual

ProxyCommand

invocations and suspicious activity. Rotate SSH keys as a precautionary measure. Tighten ingress access control lists (ACLs) to restrict network access to SSH. Treat potentially exposed hosts as compromised until proven otherwise.