CVE-2025-61984 is a newly discovered OpenSSH client command injection vulnerability that affects OpenSSH client versions prior to 10.1. This article focuses on what CVE-2025-61984 is, the root cause of the vulnerability, and how to mitigate it.
Root cause of CVE-2025-61984
OpenSSH includes a ProxyCommand option in its ssh_config file, which allows administrators to run an external program that forwards SSH connections to a target host. It also supports percent-sequence expansions (for example, %r represents the remote username).
The vulnerability occurs because, in certain cases, OpenSSH accepted control characters within usernames from untrusted sources such as command-line input or %-expansions and inserted them into the ProxyCommand without proper sanitization.
When the shell interprets this resulting command, control characters like newline (\n) can prematurely terminate the intended argument and start a new command.
As a result, an attacker could inject and execute arbitrary commands within the environment where the ProxyCommand is executed.
Affected OpenSSH Client versions
OpenSSH clients before version 10.1
Risk
Command injection or remote code execution possible
How to mitigate CVE-2025-61984?
- Update to OpenSSH 10.1 or later as soon as possible.
- Avoid using untrusted usernames or inputs directly in your SSH commands or scripts.
- Review ProxyCommand configurations in your SSH client settings and automation scripts.
- Restrict shell command expansions when handling SSH connections from unknown sources.