CVE-2025-47203: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-47203 affects dbclient in Dropbear SSH versions before 2025.88, discovered and disclosed in May 2025. The vulnerability allows command injection through an untrusted hostname argument due to shell usage. The issue specifically impacts the dbclient component when processing hostname arguments with commas for multihop functionality (NVD, Debian Tracker).

The vulnerability is classified as an OS Command Injection vulnerability (CWE-78). It has been assigned a CVSS v3.1 base score of 4.5 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N, indicating local access, high attack complexity, no privileges required, no user interaction, changed scope, and low impact on confidentiality and integrity with no impact on availability (NVD).

The vulnerability enables attackers to perform command injection via untrusted hostname arguments in both dbclient and ssh components of Dropbear SSH. When exploited, it could lead to unauthorized command execution with the privileges of the running process. The impact is particularly significant in situations where dbclient is passed untrusted hostname arguments (Wiz, OSS Security).

The vulnerability has been fixed in Dropbear SSH version 2025.88. The fix involves modifying the multihop command execution to run directly without shell involvement. Users are strongly advised to upgrade to version 2025.88 or later. The fix has been implemented in the Debian sid release, while other versions (bullseye, bookworm, trixie) remain vulnerable (Debian Tracker, OSS Security).