CVE-2025-61984

Name of the Vulnerable Software and Affected Versions OpenSSH versions prior to 10.1

Description The software contains a flaw where control characters within usernames originating from untrusted sources can lead to code execution when a

ProxyCommand

is used. Specifically, the issue arises from the unsafe handling of control characters, such as newlines, in usernames. This allows an attacker to inject commands via the

ProxyCommand

, potentially achieving remote code execution (RCE) on vulnerable servers. The vulnerability is particularly dangerous because

ProxyCommand

is trusted to run shell helpers on connection. Exploitation has been demonstrated using Git submodules to deliver the malicious payload. The vulnerability can be triggered when the

ProxyCommand

uses

%r

(remote user) and an unpatched version of OpenSSH is in use.

Recommendations Update to OpenSSH version 10.1 or later. Disable or limit the use of

ProxyCommand

as a temporary mitigation. Require jump-hosts or bastions to restrict direct access. Enforce strict

AllowUsers

or

Match

blocks in the SSH configuration. Force non-interactive shells for SSH helpers.