From the OpenSSH update:<p>“Although we believe it is the user's responsibility to ensure
validity of arguments passed to ssh(1), especially across a
security boundary such as the git example above, OpenSSH 9.6 now
bans most shell metacharacters from user and hostnames supplied
via the command-line. This countermeasure is not guaranteed to be
effective in all situations, as it is infeasible for ssh(1) to
universally filter shell metacharacters potentially relevant to
user-supplied commands.” --<a href="https://www.openssh.com/txt/release-9.6" rel="nofollow noreferrer">https://www.openssh.com/txt/release-9.6</a><p>It's not quite a “root can do things as root” CVE, but honestly it's not far off that level of “well, duh”. You can't inject untrusted input (a hostname in this case) into a general purpose command stream (i.e., the arguments to bash -c or an exec call), and not expect to have trouble.