OpenSSH ProxyCommand Flaw CVE-2025-61984 Bypasses Filters, Allowing RCE via Crafted Usernames
A new vulnerability has been discovered in OpenSSH — CVE-2025-61984 — which permits remote code execution (RCE) by abusing the ProxyCommand parameter and peculiarities in shell character handling. Exploitation is possible even in the presence of protections against conventional shell metacharacters by leveraging control characters and syntactic errors that, in some shells, do not halt command execution.
ProxyCommand is the mechanism OpenSSH offers to route connections through an intermediate proxy, commonly used like ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p. However, when a user’s ~/.ssh/config includes %r, the username field may be crafted to contain control characters. While many hazardous characters such as ;, |, (, ), and & are filtered, earlier implementations did not filter things like \n (newline), $, [ and other characters that can alter command interpretation in some shells. This behavior enables an attacker to forge a username value that embeds a malicious command beginning on the next line after a syntactic error.
For example, if a Git repository contains a malicious submodule with a .gitmodules URL like: url = “$[+]\nsource poc.sh\n@foo.example.com:foo” and the user’s ~/.ssh/config contains a line such as: ProxyCommand some-command %r@%h:%p then running git clone –recursive can cause the second line (source poc.sh) to be executed on clones performed under shells such as Bash, Fish, or csh. This occurs because the syntactic error $[+] forces the parser to advance to the next line. Zsh, by contrast, correctly aborts execution on such errors and is not susceptible in the same way.
For this exploit to succeed, several conditions must coincide: the user must have ProxyCommand configured to include %r; the attacker must control the submodule URL in .gitmodules; the system’s login shell must be a vulnerable interpreter set as SHELL (for example, bash); and the user must perform git clone --recursive. Under those circumstances the flaw can be weaponized in supply-chain attacks, against CI/CD servers, and within individual developer environments.
One notable affected tool is Teleport, whose tsh config generation can produce a ProxyCommand containing %r, thereby allowing an attacker who knows a cluster name to trigger the attack via crafted Git submodules.
The OpenSSH patch enforces strict filtering of control characters in valid_ruser() — for example: if (iscntrl((u_char)s[i])) return 0;. Recommended mitigations include upgrading to OpenSSH 10.1, quoting %r in ProxyCommand using single quotes (e.g., '%r') to prevent interpretation, forbidding SSH in submodules with git config --global protocol.ssh.allow user, disabling URL handlers for ssh:// schemes that permit control characters, and migrating to shells with stricter error semantics (such as zsh).
Although exploitation demands a narrow configuration, this vulnerability once again underscores the fragile and unpredictable interplay among Git, SSH, and shell interpreters. Even absent direct exploitation, it highlights the paramount importance of rigorous input sanitization in command-line tools and automation frameworks.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
