CVE-2025-61984
Published: October 9, 2025Last modified: December 23, 2025
Description
ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 3.6 |
| Attack Vector | LOCAL |
| Attack complexity | HIGH |
| Privileges required | LOW |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | LOW |
| Integrity impact | LOW |
| Availability impact | NONE |
| Vector | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N |
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | openssh | Fixed (9.1_p1-r12) |
| 25 LTS | openssh | Fixed (10.0_p1-r10) | |
| Stream | openssh | Fixed (10.1_p1-r0) | |
| Hardened Containers | 23 LTS | openssh | Fixed (9.1_p1-r12) |
| 25 LTS | openssh | Fixed (10.0_p1-r10) | |
| Stream | openssh | Fixed (10.1_p1-r0) |
References
- http://www.openwall.com/lists/oss-security/2025/10/07/1
- http://www.openwall.com/lists/oss-security/2025/10/12/1
- https://dgl.cx/2025/10/bash-a-newline-ssh-proxycommand-cve-2025-61984
- https://github.com/openssh/openssh-portable/commit/35d5917652106aede47621bb3f64044604164043.patch
- https://marc.info/?l=openssh-unix-dev&m=175974522032149&w=2
- https://www.openssh.com/releasenotes.html#10.1p1
- https://www.openwall.com/lists/oss-security/2025/10/06/1
- https://www.vicarius.io/vsociety/posts/cve-2025-61984-detection-script-remote-code-execution-vulnerability-affecting-openssh
- https://www.vicarius.io/vsociety/posts/cve-2025-61984-mitigation-script-remote-code-execution-vulnerability-affecting-openssh