Wiz
Vulnerability DatabaseCVE-2025-61984

CVE-2025-61984
OpenSSH vulnerability analysis and mitigation

Overview

CVE-2025-61984 affects OpenSSH versions before 10.1, discovered in October 2025. The vulnerability allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources include the command line and %-sequence expansion of a configuration file (NVD, OpenSSH Release Notes).

Technical details

The vulnerability stems from insufficient input validation where control characters in usernames were not properly filtered when passed via the commandline or expanded using %-sequences from the configuration file. This could allow an attacker to inject shell expressions that may be executed when the proxy command is started. The vulnerability has a CVSS v3.1 Base Score of 3.6 (Low) with vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N (NVD, Security Blog).

Impact

The vulnerability can result in Remote Code Execution (RCE) under specific conditions. However, the impact is considered moderate as it requires particular configurations and depends on the user having specific ProxyCommand settings that use the %r expansion token. The main attack vector is through git submodules, where a malicious username configured in the main module's .gitmodules file could trigger the vulnerability (Security Blog).

Mitigation and workarounds

The primary mitigation is to upgrade to OpenSSH version 10.1 or later, which disallows control characters in usernames. Alternative mitigations include changing any ProxyCommand in SSH client configuration that passes the %r expansion token to quote it with single quotes. For git users, it's recommended to configure git to turn off SSH transports for submodules using 'git config --global protocol.ssh.allow user'. Additionally, disabling URL handlers for ssh:// can provide additional protection (Security Blog, OpenSSH Release Notes).

Community reactions

The vulnerability was discovered and reported by David Leadbeater, with acknowledgments from the OpenSSH team. The OpenSSH developers considered this a minor security issue, as reflected in their release notes and the low CVSS score. The fix was quickly implemented and released as part of OpenSSH 10.1 (OpenSSH Release Notes, OSS Security).

Additional resources

SourceThis report was generated using AI

Related OpenSSH vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-26465MEDIUM6.8
  • Rocky LinuxRocky Linux
  • openssh-askpass-gnome
NoYesFeb 18, 2025
CVE-2025-26466MEDIUM5.9
  • OpenSSHOpenSSH
  • openssh-askpass
NoYesFeb 28, 2025
CVE-2025-32728LOW3.8
  • Alma LinuxAlma Linux
  • openssh
NoYesApr 10, 2025
CVE-2025-61985LOW3.6
  • OpenSSHOpenSSH
  • openssh8.4-common
NoYesOct 06, 2025
CVE-2025-61984LOW3.6
  • OpenSSHOpenSSH
  • openssh-clients
NoYesOct 06, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo