OpenSSH vulnerability diagram for CVE-2025-61984: ProxyCommand flow with newline injection arrow from malicious Git submodule URL to RCE execution in Bash shell, SSH config file snippet showing unquoted %r, affected shells icons (Bash/Fish/csh) vs safe Zs

A new OpenSSH command injection vulnerability, CVE-2025-61984, enables remote code execution (RCE) by bypassing a prior fix (CVE-2023-51385) through unsanitized control characters like newlines in usernames. When passed via ProxyCommand to shells (e.g., Bash, Fish, csh), a crafted username triggers a syntax error on the first line but allows execution of a malicious payload on the next—while Zsh safely terminates. OpenSSH filters many metacharacters but misses those forcing shell continuation, exposing systems with vulnerable SSH configs using the %r token.

OpenSSH vulnerability diagram for CVE-2025-61984: ProxyCommand flow with newline injection arrow from malicious Git submodule URL to RCE execution in Bash shell, SSH config file snippet showing unquoted %r, affected shells icons (Bash/Fish/csh) vs safe ZsOpenSSH vulnerability diagram for CVE-2025-61984: ProxyCommand flow with newline injection arrow from malicious Git submodule URL to RCE execution in Bash shell, SSH config file snippet showing unquoted %r, affected shells icons (Bash/Fish/csh) vs safe Zs

The primary attack vector is malicious Git submodules: an attacker embeds a multi-line username in a repo URL, exploiting recursive clones (git clone --recursive) if the victim's ~/.ssh/config includes an unquoted %r in ProxyCommand. Tools like Teleport often generate such configs, widening the risk for developers.

OpenSSH vulnerability diagram for CVE-2025-61984: ProxyCommand flow with newline injection arrow from malicious Git submodule URL to RCE execution in Bash shell, SSH config file snippet showing unquoted %r, affected shells icons (Bash/Fish/csh) vs safe ZsOpenSSH vulnerability diagram for CVE-2025-61984: ProxyCommand flow with newline injection arrow from malicious Git submodule URL to RCE execution in Bash shell, SSH config file snippet showing unquoted %r, affected shells icons (Bash/Fish/csh) vs safe Zs

Mitigate by upgrading to OpenSSH 10.1+, which bans control characters in usernames; alternatively, quote '%r' (e.g., '%r') in ProxyCommand directives or disable automatic SSH for Git submodules. This flaw underscores risks in tool interactions, urging config audits and prompt updates.
 
NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security