JLSEC-2025-7 Low 3.6

ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain...

JLSEC Published: Oct 9, 2025
Modified: Apr 9, 2026
Severity: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Affected Packages: OpenSSH_jll < 10.1.1+0
Aliases / Upstream: CVE-2025-61984 GHSA-hh67-847q-q3h9 EUVD-2025-32089

ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)

References

https://marc.info/?l=openssh-unix-dev&m=175974522032149&w=2
https://www.openssh.com/releasenotes.html#10.1p1
https://www.openwall.com/lists/oss-security/2025/10/06/1
http://www.openwall.com/lists/oss-security/2025/10/07/1
http://www.openwall.com/lists/oss-security/2025/10/12/1
https://www.vicarius.io/vsociety/posts/cve-2025-61984-detection-script-remote-code-execution-vulnerability-affecting-openssh
https://www.vicarius.io/vsociety/posts/cve-2025-61984-mitigation-script-remote-code-execution-vulnerability-affecting-openssh
https://dgl.cx/2025/10/bash-a-newline-ssh-proxycommand-cve-2025-61984
https://nvd.nist.gov/vuln/detail/CVE-2025-61984
https://github.com/advisories/GHSA-hh67-847q-q3h9