Wiz
Vulnerability DatabaseCVE-2025-61984

CVE-2025-61984
OpenSSH vulnerability analysis and mitigation

Overview

CVE-2025-61984 affects OpenSSH versions before 10.1, discovered on October 6, 2025. The vulnerability allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources include the command line and %-sequence expansion of a configuration file (NVD, OpenSSH Release).

Technical details

The vulnerability stems from inadequate filtering of control characters in usernames when expanding the ProxyCommand string. When using the %r token to include the remote username, control characters such as newline are not stripped, allowing an attacker to inject line breaks that interrupt the exec invocation and execute arbitrary commands on the client side. The vulnerability has been assigned a CVSS 3.1 Base Score of 3.6 (Low) with vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N (GBHackers, NVD).

Impact

The vulnerability can result in remote code execution under specific conditions. However, the impact is considered low to moderate as it requires particular configurations and the attacker having prior knowledge of the hostnames used in match conditions. The vulnerability is particularly concerning for environments using SSH proxies, including cloud gateway solutions like Teleport, which generate proxy commands containing %r (SSH Blog).

Mitigation and workarounds

The primary mitigation is to upgrade to OpenSSH version 10.1 or later, which disallows control characters in usernames. For those unable to upgrade immediately, it is possible to mitigate through SSH configuration by quoting any ProxyCommand that passes the %r expansion token with single quotes. Additional defense-in-depth measures include configuring git to turn off SSH transports for submodules using 'git config --global protocol.ssh.allow user' and disabling URL handlers for ssh:// (SSH Blog, OpenSSH Release).

Community reactions

The vulnerability is considered minor by OpenSSH developers, as stated in Ubuntu's security advisory. The security community has noted that while the vulnerability has unique exploitation conditions, it highlights important considerations for software supply chain security and the interactions between git, SSH, and shell behavior (Ubuntu CVE).

Additional resources

SourceThis report was generated using AI

Related OpenSSH vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-26465MEDIUM6.8
  • Rocky LinuxRocky Linux
  • openssh-askpass-gnome
NoYesFeb 18, 2025
CVE-2025-26466MEDIUM5.9
  • OpenSSHOpenSSH
  • net-misc/openssh
NoYesFeb 28, 2025
CVE-2025-32728LOW3.8
  • OpenSSHOpenSSH
  • openssh-debuginfo
NoYesApr 10, 2025
CVE-2025-61985LOW3.6
  • OpenSSHOpenSSH
  • openssh-keycat
NoYesOct 06, 2025
CVE-2025-61984LOW3.6
  • OpenSSHOpenSSH
  • pam_ssh_agent_auth
NoYesOct 06, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo