AI description
CVE-2025-61984 is a command injection vulnerability in OpenSSH that allows for remote code execution on a client system. The vulnerability stems from the inadequate filtering of control characters in usernames when the ProxyCommand string is expanded. This occurs when the %r token is used in the ProxyCommand directive within the user's SSH configuration file (~/.ssh/config) to include the remote username. An attacker can inject control characters, such as newline characters, into the username, which can then interrupt the intended `exec` invocation. This interruption allows the attacker to execute arbitrary commands with the privileges of the SSH client. A common attack scenario involves a malicious Git submodule URL. If a user clones a repository with a crafted .gitmodules entry and a matching SSH proxy configuration, the injected control characters trigger the proxy command to execute arbitrary scripts before the SSH connection is established. This vulnerability affects OpenSSH client versions up to and including 10.0p1.
- Description
- ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)
- Source
- cve@mitre.org
- NVD status
- Received
CVSS 3.1
- Type
- Secondary
- Base score
- 3.6
- Impact score
- 2.5
- Exploitability score
- 1
- Vector string
- CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
- Severity
- LOW
- cve@mitre.org
- CWE-159
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
36