[manjaro-security] [ASA-202505-9] dropbear: arbitrary command execution
Andrea Denisse
denisse at archlinux.org
Tue May 20 21:16:28 CEST 2025
Arch Linux Security Advisory ASA-202505-9
=========================================
Severity: Medium
Date : 2025-05-19
CVE-ID : CVE-2025-47203
Package : dropbear
Type : arbitrary command execution
Remote : Yes
Link : https://security.archlinux.org/AVG-2874
Summary
=======
The package dropbear before version 2025.88-1 is vulnerable to
arbitrary command execution.
Resolution
==========
Upgrade to 2025.88-1.
# pacman -Syu "dropbear>=2025.88-1"
The problem has been fixed upstream in version 2025.88.
Workaround
==========
None.
Description
===========
dbclient in Dropbear SSH before 2025.88 allows command injection via an
untrusted hostname argument, because a shell is used.
Impact
======
A remote attacker can craft a malicious hostname to execute arbitrary
commands on a system using dbclient if the hostname is passed without
proper sanitization.
References
==========
https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2025q2/002385.html
https://security.archlinux.org/CVE-2025-47203
More information about the manjaro-security
mailing list