CVE-2025-61984

Published Oct 6, 2025

Last updated 4 months ago

CVSS low 3.6
OpenSSH
SSH

Overview

Description
ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)
Source
cve@mitre.org
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
3.6
Impact score
2.5
Exploitability score
1
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Severity
LOW

Weaknesses

cve@mitre.org
CWE-159

Social media

Hype score
Not currently trending

  1. New Flatcar Alpha, Beta and Stable releases now available! 🚀 /etc is now shipped as #systemd confext 🔒 CVE fixes & security patches: CVE-2025-61984 and CVE-2025-61985 for OpenSSH on Stable 📜 Release notes at the usual spot: https://t.co/rZjTiO6fY2

    @flatcar

    9 Mar 2026

    126 Impressions

    3 Retweets

    7 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  2. Bash a newline: Exploiting SSH via ProxyCommand, again (CVE-2025-61984) https://t.co/FQklSM9MFR

    @Tinolle1955

    1 Feb 2026

    81 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Bash a newline: Exploiting SSH via ProxyCommand, again (CVE-2025-61984) https://t.co/G1d0dSzo0E

    @akaclandestine

    1 Feb 2026

    1257 Impressions

    1 Retweet

    12 Likes

    9 Bookmarks

    0 Replies

    0 Quotes

  4. Bash a newline: Exploiting SSH via ProxyCommand, again (CVE-2025-61984) #SSH #RCE #ProxyCommand #ShellExploit #GitSubmodules https://t.co/33jKoShGoc

    @reverseame

    31 Jan 2026

    1264 Impressions

    8 Retweets

    17 Likes

    5 Bookmarks

    1 Reply

    0 Quotes

  5. 🚨 Critical OpenSSH patch for #Fedora42: CVE-2025-61985 & CVE-2025-61984. Input validation flaws in usernames/URLs = risk of DoS or RCE. Read more: 👉 https://t.co/lZhrHlYlfJ #Security https://t.co/g26IuY87W2

    @Cezar_H_Linux

    13 Jan 2026

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Oracle releases Oracle Linux 9 and 10 SSH security updates, fixing CVE-2025-61984 and CVE-2025-61985 that affect username and URL-string handling. #Vulnerability https://t.co/uueYY48hm9

    @threatcluster

    21 Dec 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Technical deep-dive: OpenSSH security update for the #SUSE ecosystem. We've analyzed the new patch for CVE-2025-61984 and CVE-2025-61985. Read more: 👉 https://t.co/nQgPUnxAn0 #Security https://t.co/zN9eFCyovG

    @Cezar_H_Linux

    17 Nov 2025

    38 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. 📚 OpenSSH ProxyCommand Exploit (CVE-2025-61984) PoC of bash newline attack via SSH ProxyCommand. Read it: https://t.co/fsOiQzYiYl https://t.co/5X7SCeyD2G

    @IntCyberDigest

    27 Oct 2025

    2415 Impressions

    8 Retweets

    25 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  9. 💉 CVE of the Week: Username Injection 💉 CVE-2025-61984 is a Command Injection vulnerability in OpenSSH. When ProxyCommand is used, a crafted username can inject commands, leading to client-side code execution. While it requires a specific client setup, many real environmen

    @vicariusltd

    16 Oct 2025

    36 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. #exploit 1⃣. CVE-2025-32463: LPE to Root via Sudo chroot in Linux - https://t.co/tPtqOQHYJ8 2⃣. CVE-2025-61984: Exploiting SSH via ProxyCommand - https://t.co/2HOWbhgb98 3⃣. CVE-2025-9961: TP-Link CWMP Service RCE - https://t.co/a4Iktctz7h 4⃣. Exploit development for

    @ksg93rd

    15 Oct 2025

    1216 Impressions

    6 Retweets

    15 Likes

    7 Bookmarks

    0 Replies

    0 Quotes

  11. Descubre cómo la CVE-2025-61984 afecta a SSH y qué medidas tomar. Más info aquí: https://t.co/S3ywmE23h8 #Ciberseguridad #SSH

    @AlejosAngel

    13 Oct 2025

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. Bash a newline: Exploiting SSH via ProxyCommand, again (CVE-2025-61984) https://t.co/s98KcfEVj5

    @jeroldcamacho

    13 Oct 2025

    62 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. OpenSSH Command Injection (CVE-2025-61984). Exploits unsanitized usernames to inject commands via ProxyCommand, leading to remote code execution on vulnerable servers. Patch OpenSSH immediately and sanitize user inputs. #OpenSSHVuln #RCE https://t.co/wJbF073bDG

    @CyberWolfGuard

    9 Oct 2025

    48 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  14. CVE-2025-61984 : Bash a newline - Exploiting SSH via ProxyCommand https://t.co/aWkVjAwnhM https://t.co/zylngBdYvv

    @freedomhack101

    9 Oct 2025

    66 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  15. Bash a newline: Exploiting SSH via ProxyCommand, again (CVE-2025-61984) https://t.co/C6ERXAPL4K https://t.co/lUi6qGUWku

    @secharvesterx

    8 Oct 2025

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. ⚠️ OpenSSH Vulnerability Exploited Via ProxyCommand to Execute Remote Code Read more: https://t.co/5i4Hhm67f0 A new command injection vulnerability in OpenSSH, tracked as CVE-2025-61984, has been disclosed, which could allow an attacker to achieve remote code execution on

    @The_Cyber_News

    7 Oct 2025

    29934 Impressions

    129 Retweets

    423 Likes

    208 Bookmarks

    8 Replies

    6 Quotes

Related CVEs

  1. BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) OS Command Injection VulnerabilityCVE-2026-1731
  2. Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by "offering" the victim's public key during the SSH handshake before authenticating with their own valid key. This occurs because the user identity is stored in the session context during the "offer" phase and is not cleared if that specific authentication attempt fails. This issue has been fixed in version 0.11.3.CVE-2026-24058
  3. wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.CVE-2026-24049
  4. SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.CVE-2025-58181
  5. SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.CVE-2025-47913

References

Sources include official advisories and independent security research.