CVE-2025-61984
LOWOpenSSH < 10.1 - Remote Code Execution via Control Characters in Username
Title source: llmExploitation Summary
EIP tracks 2 public exploits for CVE-2025-61984. PoCs published by dgl, flyskyfire.
AI-analyzed exploit summary This PoC exploits CVE-2025-61984 by injecting a newline into OpenSSH's ProxyCommand configuration to execute arbitrary commands. The exploit leverages shell interpretation of the %r variable in unquoted ProxyCommand arguments.
Description
ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)
Exploits (2)
This PoC exploits CVE-2025-61984 by injecting a newline into OpenSSH's ProxyCommand configuration to execute arbitrary commands. The exploit leverages shell interpretation of the %r variable in unquoted ProxyCommand arguments.
The repository contains a deceptive script that initiates a reverse shell to a hardcoded IP address, masquerading as a PoC for CVE-2025-61984. No legitimate exploit code or technical details about the vulnerability are present.
References (8)
Scores
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N