ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand — CVE-2025-61984

Date
2025-10-14

Updated
2026-03-31

Source
MSRC

Vendor
Microsoft

Threat
low

CVSS
3.6

Summary

Advisory CVE-2025-61984. ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially… Vendor: Microsoft. Source: MSRC. Threat: low. CVSS 3.6. See the official…

What to do

General, cautious steps (verify details in the official source):

Review exposure and plan remediation based on risk and environment.
Identify affected product versions in your inventory and verify whether you are impacted.
Apply vendor patches/updates or recommended mitigations as soon as available.
Read the official advisory for exact affected versions and remediation steps.

Official advisory

Read the official source

Related advisories

Microsoft MSRC 2026-W14