CVE-2025-61984

low-risk

Published 2025-10-06

ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)

Do I need to act?

-

0.01% chance of exploitation

EPSS score — low exploit probability

-

Not on CISA KEV list

No confirmed active exploitation reported to CISA

?

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

3

CVSS 3.6/10 Low

LOCAL / HIGH complexity

References (8)

https://marc.info/?l=openssh-unix-dev&m=175974522032149&w=2

https://www.openssh.com/releasenotes.html#10.1p1

https://www.openwall.com/lists/oss-security/2025/10/06/1

http://www.openwall.com/lists/oss-security/2025/10/07/1

http://www.openwall.com/lists/oss-security/2025/10/12/1

https://www.vicarius.io/vsociety/posts/cve-2025-61984-detection-script-remote-co...

https://www.vicarius.io/vsociety/posts/cve-2025-61984-mitigation-script-remote-c...

https://dgl.cx/2025/10/bash-a-newline-ssh-proxycommand-cve-2025-61984

14

/ 100

low-risk

Severity 9/34 · Low

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal