The Dropbear 2025.88 release has been published. It develops an SSH server and client that has become widespread in wireless routers and compact distributions like OpenWrt. The new version fixes a vulnerability (CVE-2025-47203) in the implementation of the SSH client (the dbclient program), which allows executing shell commands when processing a specially formatted host name. The vulnerability is caused by the lack of escaping of special characters in the host name and the use of a command interpreter when running commands in multihop mode (multiple hosts separated by a comma). The vulnerability poses a danger to systems running dbclient with an unverified host name.
Source: opennet.ru
