Key Takeaways
What is Tailscale SSH? | Tailscale Explained

- A single-character username '-i' could bypass Tailscale SSH ACLs and grant root access on Linux hosts
- A second bug allowed attackers to pin CPU cores indefinitely via malformed HTTP requests to Tailscale Serve/Funnel
- Both vulnerabilities are fixed in Tailscale version 1.98.9 — update immediately if you use these features
Tailscale disclosed two security vulnerabilities this week, one of which allowed any user with SSH access to a Linux node to obtain root privileges by connecting with the username '-i'. The argument injection bug bypassed Tailscale's ACL restrictions entirely, letting attackers escalate privileges on systems that specifically blocked root access. Both flaws are fixed in version 1.98.9.
How a single dash broke access controls
The root cause is a classic Unix problem: user input treated as command-line arguments. Tailscale SSH accepted usernames starting with a dash character. On Linux, these usernames were passed to getent(1) to look up the corresponding passwd entry. When a user connected as '-i', the tool interpreted this as the '--no-idn' flag instead of a username.
The result? getent printed the entire passwd file, starting with the root user. Tailscale's code then opened an interactive session for the first user returned. Root access, handed over by a flag misinterpretation.
This affected any Linux host running Tailscale SSH that relied on the autogroup:nonroot ACL restriction. Organizations using this setting assumed users couldn't obtain root access. That assumption was wrong.
The second bug: CPU exhaustion via HTTP
Tailscale also patched a denial-of-service vulnerability in Tailscale Serve and Tailscale Funnel. These features proxy HTTP requests to local backends by matching request paths against configured mount points. The code walked the request path upward, directory by directory, expecting to eventually hit the root path '/'.
Requests with paths not starting with '/' never reached the root. The loop spun forever. No request timeout interrupted it. One malformed HTTP request pinned a CPU core at 100% for the life of the process.
For Tailscale Serve, an attacker needed access to your tailnet. For Tailscale Funnel, any unauthenticated host on the internet could send the crafted request. If you expose services via Funnel, this was remotely exploitable by anyone.
Who found these bugs?
Tailscale credited Anthropic and Ada Logics for reporting both vulnerabilities. This is notable. Anthropic, the AI company behind Claude, has been running security audits and fuzzing campaigns on infrastructure tools. Ada Logics specializes in continuous fuzzing for open source projects. The combination suggests these bugs were found through systematic automated testing rather than manual code review.
The argument injection pattern is well-documented in security literature. It catches experienced developers because the vulnerability sits at the boundary between application code and system utilities. Your code passes a string; the utility interprets it as a flag. The fix is simple: reject usernames with leading dashes. But you have to know to check.
What startup teams should do now
If you use Tailscale SSH on any Linux host, update to version 1.98.9 or newer immediately. The same applies if you run Tailscale Serve or Tailscale Funnel. Check your tailnet's client versions in the admin console.
Review your ACL policies. If you relied on autogroup:nonroot to restrict SSH access, audit logs for connections using unusual usernames. The vulnerability window extends back to whenever you deployed Tailscale SSH on affected versions.
For teams using Funnel to expose services publicly, this is a reminder that any internet-facing endpoint needs rate limiting and request validation at the edge. A single request consuming a CPU core indefinitely is a cheap denial-of-service attack.
Logicity's Take
Tailscale's transparent disclosure here is the right approach, but this bug highlights a broader problem for startups using modern infrastructure tools. Mesh VPNs like Tailscale, Zerotier, and Netbird abstract away complexity, but that abstraction can hide attack surface. If you're a founder relying on Tailscale SSH as your primary access control for production systems, you've outsourced a critical security boundary. That's not wrong, but it means you need to treat Tailscale updates with the same urgency as patching your OS kernel. The 12+ million devices on Tailscale networks make it an attractive target for attackers looking for privilege escalation paths.
The argument injection pattern keeps appearing
This class of bug won't disappear. Unix tools interpret leading dashes as flags. Every time user input flows to a shell command, system utility, or subprocess, this risk exists. The tar command, rm, and dozens of other utilities have been exploited through argument injection over the years.
The defense is input validation at the boundary. Reject unexpected characters before they reach system calls. Use '--' to signal end of options where utilities support it. And assume any string from external sources might be adversarial.
Frequently Asked Questions
Was this Tailscale vulnerability exploited in the wild?
Tailscale's security bulletin does not indicate active exploitation. The vulnerability was reported by security researchers at Anthropic and Ada Logics before any known attacks.
Does this affect Tailscale on macOS or Windows?
The root access vulnerability specifically affected Linux hosts. The security bulletin mentions Linux platforms as the affected systems for the SSH argument injection bug.
How do I check my Tailscale version?
Run 'tailscale version' on any client machine, or check the Machines tab in your Tailscale admin console to see versions across your entire tailnet.
What is Tailscale SSH and why would attackers target it?
Tailscale SSH lets you SSH into machines on your tailnet without managing SSH keys. Access is controlled by Tailscale ACLs. Attackers target it because compromising access controls can grant persistent privileged access to production infrastructure.
Another recent security disclosure with infrastructure implications for startups
Need Help Implementing This?
If you need help auditing your Tailscale configuration, reviewing ACL policies, or setting up monitoring for your mesh VPN infrastructure, reach out to the Logicity team. We connect startups with vetted security consultants who specialize in modern infrastructure.
Source: Hacker News: Best
Manaal Khan
Tech & Innovation Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.
Related Articles
More in Startups & Innovation
Redwood Materials Layoffs Signal Battery Industry Pivot
Redwood Materials cut 135 jobs (10% of staff) while pivoting toward energy storage, just three months after raising $425M at a $6B+ valuation. For executives watching the battery and EV supply chain, this restructuring reveals where smart money is heading as automotive electrification plans cool down.





