CVE-2023-51385 in OpenSSH
Summary
by MITRE • 12/18/2023
In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/06/2025
The vulnerability CVE-2023-51385 represents a critical command injection flaw in OpenSSH versions prior to 9.6, specifically affecting the handling of user names and host names containing shell metacharacters. This vulnerability operates through the exploitation of expansion tokens within SSH configurations, creating a pathway for malicious command execution when untrusted repository data is processed. The flaw particularly manifests when Git submodules contain user names or host names with special shell characters that get interpreted during SSH operations.
The technical implementation of this vulnerability stems from insufficient input validation and sanitization within the SSH client's handling of remote host and user identifiers. When an SSH client encounters a host name or user name containing shell metacharacters such as semicolons, ampersands, or backticks, these characters can be interpreted as command delimiters or operators during token expansion processes. This behavior aligns with CWE-78, which describes improper neutralization of special elements used in OS commands, making the vulnerability susceptible to arbitrary code execution through crafted input.
The operational impact of this vulnerability extends beyond simple command injection, as it can be leveraged in supply chain attacks through untrusted Git repositories. Attackers can craft malicious submodule configurations containing shell metacharacters in user names or host names, which then get executed when legitimate users clone or update repositories containing such submodules. This creates a significant risk for development environments where automated processes or continuous integration systems may be processing untrusted repository data, effectively providing attackers with a vector to execute arbitrary commands on systems with SSH access.
The vulnerability's exploitation typically requires an attacker to control or influence a Git repository's submodule configuration, making it particularly dangerous in collaborative development environments or when using third-party libraries. The attack chain involves the initial compromise of repository metadata, followed by the SSH client's processing of these malicious identifiers during normal Git operations. This aligns with ATT&CK technique T1059.001 for command and scripting interpreter, where adversaries leverage legitimate system tools to execute malicious code.
Mitigation strategies for CVE-2023-51385 primarily focus on updating to OpenSSH 9.6 or later versions, which contain patches addressing the improper input handling. Organizations should also implement strict input validation for repository metadata, particularly when processing untrusted sources, and consider implementing automated scanning for malicious Git configurations in CI/CD pipelines. Network segmentation and privilege separation can reduce the potential impact of successful exploitation, while regular security audits of Git repository configurations help identify and remediate vulnerable setups before they can be exploited.