CVE-2025-61984

Published Oct 6, 2025

Last updated 24 days ago

OpenSSH

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-61984 is a command injection vulnerability in OpenSSH that allows for remote code execution on a client system. The vulnerability stems from the inadequate filtering of control characters in usernames when the ProxyCommand string is expanded. This occurs when the %r token is used in the ProxyCommand directive within the user's SSH configuration file (~/.ssh/config) to include the remote username. An attacker can inject control characters, such as newline characters, into the username, which can then interrupt the intended `exec` invocation. This interruption allows the attacker to execute arbitrary commands with the privileges of the SSH client. A common attack scenario involves a malicious Git submodule URL. If a user clones a repository with a crafted .gitmodules entry and a matching SSH proxy configuration, the injected control characters trigger the proxy command to execute arbitrary scripts before the SSH connection is established. This vulnerability affects OpenSSH client versions up to and including 10.0p1.

Description: ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)
Source: cve@mitre.org
NVD status: Awaiting Analysis

Risk scores

CVSS 3.1

Type: Secondary
Base score: 3.6
Impact score: 2.5
Exploitability score: 1
Vector string: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Severity: LOW

Weaknesses

cve@mitre.org: CWE-159

Hype score: Not currently trending

References