CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Dashboard
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad

CVE-2025-61984
3.60.01%

Bash a Newline: The SSH ProxyCommand RCE You Didn't Know You Had

Alon Barad
Alon Barad
Software Engineer

Jan 6, 2026·9 min read·26 visits

PoC Available

Executive Summary (TL;DR)

Craft a malicious username with a newline and a syntax error, combine it with a misconfigured SSH ProxyCommand, and trick a developer into cloning a Git repo. The result? Arbitrary code execution on their machine. Your Git submodules might be betraying you.

A vulnerability exists in OpenSSH versions prior to 10.1 where the `ssh` client fails to properly sanitize control characters within usernames originating from untrusted sources, such as the command line or configuration file expansions. When a user has a specific `ProxyCommand` configured with the remote username token (`%r`), an attacker can craft a malicious username containing shell metacharacters (like newlines) and a syntax error. This combination tricks certain shells (like Bash) into executing arbitrary commands on the client's machine, leading to remote code execution. The attack is typically delivered via social engineering, for example, by convincing a developer to clone a malicious Git repository with a crafted submodule URL.

Official Patches

OpenSSHOfficial release notes for OpenSSH 10.1p1 containing the security fix.

Technical Appendix

CVSS Score
3.6/ 10
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
EPSS Probability
0.01%
Top 100% most exploited

Affected Systems

OpenSSH before 10.1

Affected Versions Detail

Product
Affected Versions
Fixed Version
OpenSSH
OpenBSD
< 10.110.1p1
AttributeDetail
CWE IDCWE-159
CWE NameImproper Handling of Invalid Use of Special Elements
Attack VectorLocal (AV:L)
Attack ComplexityHigh (AC:H)
CVSS v3.1 Score3.6 (Low)
EPSS Score0.007% (0.00007)
ImpactRemote Code Execution on client machine
Exploit StatusPublic PoC Available
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1059.004Command and Scripting Interpreter: Unix Shell
Execution
T1559Inter-Process Communication
Execution
CWE-159
Improper Handling of Invalid Use of Special Elements

The product does not properly handle inputs that are not explicitly part of the syntax, but can still be processed. This may include control characters, alternate encodings, or other special characters that can have an effect on processing, even if they are not part of the defined syntax.

Known Exploits & Detection

GitHub (Discoverer's PoC)Proof-of-Concept for OpenSSH ProxyCommand CVE-2025-61984 by the vulnerability researcher.
GitHubAnother public Proof-of-Concept repository for CVE-2025-61984.

Vulnerability Timeline

OpenSSH 10.1 released with a patch for the vulnerability.
2025-10-06
CVE-2025-61984 published in NVD.
2025-10-06
Discoverer David Leadbeater publishes detailed blog post and PoC.
2025-10-06

References & Sources

  • [1]Bash a newline: Exploiting SSH via ProxyCommand, again (CVE-2025-61984) - Discoverer's Blog
  • [2]NVD - CVE-2025-61984
  • [3]oss-security mailing list announcement
  • [4]OpenSSH 10.1 Release Notes

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.