A brand new command injection vulnerability in OpenSSH, tracked as CVE-2025-61984, has been disclosed, which might enable an attacker to realize distant code execution on a sufferer’s machine.
The vulnerability is a bypass of a earlier repair for the same concern (CVE-2023-51385) and exploits how the ProxyCommand characteristic interacts with the underlying system shell when dealing with specifically crafted usernames.
The core of the vulnerability lies in OpenSSH’s failure to correctly sanitize management characters, similar to newlines, inside usernames. An attacker can create a username that features a newline character adopted by a malicious command.
This username is then handed to the shell through SSH’s ProxyCommand. Whereas OpenSSH filters many harmful shell metacharacters, it doesn’t filter characters that would power a syntax error in sure shells.
When a shell like Bash, Fish, or csh processes the ProxyCommand, the crafted syntax error on the primary line, the command fails, however the shell doesn’t exit.
As an alternative, it proceeds to execute the command on the subsequent line, which is the malicious payload provided by the attacker. This conduct successfully bypasses safety measures supposed to stop command execution, opening the door for an RCE.
The Git Submodule Assault Vector
Essentially the most sensible exploitation state of affairs for CVE-2025-61984 entails a malicious Git repository. An attacker can configure a submodule inside their repository to make use of a URL containing the malicious, multi-line username.
If a sufferer clones this repository recursively (git clone –recursive), Git will try to attach through SSH to fetch the submodule. This triggers the vulnerability ProxyCommand if the consumer has a particular configuration.
The exploit requires two circumstances on the sufferer’s machine: a shell that continues execution after a syntax error (like Bash) and an SSH configuration file (~/.ssh/config) with a ProxyCommand that makes use of the %r token to incorporate the distant username.
Notably, the safe shell Zsh isn’t susceptible to this method because it terminates upon encountering such errors. Instruments like Teleport have been discovered to generate SSH configurations that use this susceptible sample, doubtlessly rising the assault floor.
Mitigations
The OpenSSH challenge has launched a patch in model 10.1 that totally addresses this vulnerability by disallowing management characters in usernames. All customers are strongly urged to improve to this model or newer.
For methods that can’t be instantly up to date, a number of mitigations may be applied.
Customers can edit their SSH configurations to surround the %r token in single quotes (‘%r’) inside any ProxyCommand directive, which prevents the shell from deciphering the particular characters.
One other efficient defense-in-depth measure is to configure Git to limit the automated use of SSH for submodules.
This vulnerability serves as a vital reminder of the advanced safety dangers that may emerge from the interactions between trusted developer instruments.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
