DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-61984: Bash a Newline: The SSH ProxyCommand RCE You Didn't Know You Had

#security #cve #cybersecurity

Bash a Newline: The SSH ProxyCommand RCE You Didn't Know You Had

Vulnerability ID: CVE-2025-61984
CVSS Score: 3.6
Published: 2025-10-06

A vulnerability exists in OpenSSH versions prior to 10.1 where the ssh client fails to properly sanitize control characters within usernames originating from untrusted sources, such as the command line or configuration file expansions. When a user has a specific ProxyCommand configured with the remote username token (%r), an attacker can craft a malicious username containing shell metacharacters (like newlines) and a syntax error. This combination tricks certain shells (like Bash) into executing arbitrary commands on the client's machine, leading to remote code execution. The attack is typically delivered via social engineering, for example, by convincing a developer to clone a malicious Git repository with a crafted submodule URL.

TL;DR

Craft a malicious username with a newline and a syntax error, combine it with a misconfigured SSH ProxyCommand, and trick a developer into cloning a Git repo. The result? Arbitrary code execution on their machine. Your Git submodules might be betraying you.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-159
  • CWE Name: Improper Handling of Invalid Use of Special Elements
  • Attack Vector: Local (AV:L)
  • Attack Complexity: High (AC:H)
  • CVSS v3.1 Score: 3.6 (Low)
  • EPSS Score: 0.007% (0.00007)
  • Impact: Remote Code Execution on client machine
  • Exploit Status: Public PoC Available
  • KEV Status: Not Listed

Affected Systems

  • OpenSSH before 10.1
  • OpenSSH: < 10.1 (Fixed in: 10.1p1)

Exploit Details

  • GitHub (Discoverer's PoC): Proof-of-Concept for OpenSSH ProxyCommand CVE-2025-61984 by the vulnerability researcher.
  • GitHub: Another public Proof-of-Concept repository for CVE-2025-61984.

Mitigation Strategies

  • Upgrade OpenSSH to version 10.1 or later.
  • Modify ~/.ssh/config to wrap any %r expansion tokens in ProxyCommand directives with single quotes (e.g., '%r').
  • Harden Git configuration to prevent automatic use of SSH for submodules by setting git config --global protocol.ssh.allow user.
  • Use shells like Zsh that are not vulnerable to this specific syntax error handling behavior as your default user shell.

Remediation Steps:

  1. Identify all systems running OpenSSH versions prior to 10.1.
  2. Deploy OpenSSH 10.1p1 or a newer version across all affected systems.
  3. Audit all user ~/.ssh/config files and system-wide /etc/ssh/ssh_config for ProxyCommand directives.
  4. For any ProxyCommand found using %r, ensure it is quoted as '%r' as a temporary mitigation or until all clients are patched.
  5. Educate developers about the risks of cloning untrusted repositories, especially with the --recursive flag.

References

Read the full report for CVE-2025-61984 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)