CVE-2025-61985
published 2025-10-06CVE-2025-61985: ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.
PriorityP415low3.6CVSS 3.1
AVLACHPRLUINSUCLILAN
EPSS
0.11%
1.7th percentile
ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | openssh | < openssh 1:9.2p1-2+deb12u8 (bookworm) | openssh 1:9.2p1-2+deb12u8 (bookworm) |
| msrc | azl3_openssh_9.8p1-4_on_azure_linux_3.0 | — | — |
| msrc | azl3_openssh_9.8p1-5_on_azure_linux_3.0 | — | — |
| msrc | cbl2_openssh_8.9p1-8_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_openssh_8.9p1-9_on_cbl_mariner_2.0 | — | — |
| openbsd | openssh | < 10.1 | 10.1 |
| openbsd | openssh | >= 0 < 1:9.2p1-2+deb12u8 | 1:9.2p1-2+deb12u8 |
| openbsd | openssh | >= 0 < 1:10.0p1-7+deb13u1 | 1:10.0p1-7+deb13u1 |
| openbsd | openssh | >= 0 < 1:10.1p1-1 | 1:10.1p1-1 |
| openbsd | openssh | >= 0 < 1:8.9p1-3ubuntu0.14 | 1:8.9p1-3ubuntu0.14 |
| openbsd | openssh | >= 0 < 1:9.6p1-3ubuntu13.15 | 1:9.6p1-3ubuntu13.15 |
| openbsd | openssh | >= 0 < 1:10.0p1-5ubuntu5.1 | 1:10.0p1-5ubuntu5.1 |
| openbsd | openssh | >= 0 < 1:8.2p1-4ubuntu0.13+esm1 | 1:8.2p1-4ubuntu0.13+esm1 |
| paloalto | pan-os | — | — |
| paloalto | prisma_sd | — | — |
CVSS provenance
nvdv3.13.6LOWCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
osv3.6LOW
vendor_debian3.6LOW
vendor_msrc3.6LOW
vendor_redhat3.6LOW
vendor_ubuntu3.6LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
OpenSSH vulnerabilities
vendor_ubuntu·2026-03-12·CVSS 3.6
CVE-2025-61984 [LOW] OpenSSH vulnerabilities
Title: OpenSSH vulnerabilities
Summary: Several security issues were fixed in OpenSSH.
Jeremy Brown discovered that the OpenSSH GSSAPI Key Exchange incorrectly
handled disconnecting clients. In non-default configurations where the
GSSAPIKeyExchange setting is enabled, a remote attacker could use this
issue to cause OpenSSH to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2026-3497)
David Leadbeater discovered that OpenSSH incorrectly handled certain
control characters in usernames. When untrusted usernames and the
ProxyCommand are being used, an attacker could possibly use this issue to
execute arbitrary code. (CVE-2025-61984)
David Leadbeater discovered that OpenSSH incorrectly handled NULL
characters in ssh:// URIs. When the ProxyCommand is being u
Ubuntu
OpenSSH vulnerabilities
vendor_ubuntu·2026-03-12·CVSS 3.6
CVE-2025-61984 [LOW] OpenSSH vulnerabilities
Title: OpenSSH vulnerabilities
Summary: Several security issues were fixed in OpenSSH.
USN-8090-1 fixed vulnerabilities in OpenSSH. This update provides the
corresponding updates for Ubuntu 20.04 LTS.
Original advisory details:
Jeremy Brown discovered that the OpenSSH GSSAPI Key Exchange incorrectly
handled disconnecting clients. In non-default configurations where the
GSSAPIKeyExchange setting is enabled, a remote attacker could use this
issue to cause OpenSSH to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2026-3497)
David Leadbeater discovered that OpenSSH incorrectly handled certain
control characters in usernames. When untrusted usernames and the
ProxyCommand are being used, an attacker could possibly use this issue to
execute arbitrary code.
Palo Alto
PAN-SA-2025-0017 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION
vendor_paloalto·2025-11-02·CVSS 3.6
CVE-2025-61984 [LOW] PAN-SA-2025-0017 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION
PAN-SA-2025-0017 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to Prisma SD-WAN ION. While Prisma SD-WAN ION may include the
CVEs: CVE-2025-61984, CVE-2025-61985
Affected products: Prisma SD
Microsoft
ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.
vendor_msrc·2025-10-14·CVSS 3.6
CVE-2025-61985 [LOW] CWE-158 ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.
ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
mitre: mitre
Customer
Red Hat
openssh: OpenSSH: Null character in ssh:// URI can lead to code execution via ProxyCommand
vendor_redhat·2025-10-06·CVSS 3.6
CVE-2025-61985 [LOW] CWE-158 openssh: OpenSSH: Null character in ssh:// URI can lead to code execution via ProxyCommand
openssh: OpenSSH: Null character in ssh:// URI can lead to code execution via ProxyCommand
ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.
A flaw was found in OpenSSH where the SSH client accepted \0 (null) characters in ssh:// URIs. When a ProxyCommand is configured, these characters could alter how the command is parsed, potentially leading to code execution depending on how the proxy is set up.
Statement: The impact is MODERATE because it is a critical component used across many Red Hat products.
Exploiting this vulnerability would require a specific configuration where ProxyCommand is enabled and the SSH client processes an untrusted ssh:// URI containing null bytes. Under these conditions, the
Palo Alto
PAN-SA-2025-0006 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2025-02-12·CVSS 7.1
CVE-2015-5312 [HIGH] PAN-SA-2025-0006 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2025-0006 Informational Bulletin: Impact of OSS CVEs in PAN-OS
T he Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2015-5312, CVE-2016-4607, CVE-2016-4608, CVE-2016-4609, CVE-2016-4738, CVE-2018-1111, CVE-2018-14634, CVE-2018-18653, CVE-2019-0145, CVE-2019-8331, CVE-2020-0599, CVE-2020-14343, CVE-2020-14779, CVE-2020-27844, CVE-2020-29569, CVE-2021-21315, CVE-2021-27853, CVE-2021-27854, CVE-2021-27861, CVE-2021-27862, CVE-2021-3618, CVE-2021-3711, CVE-2022-2097, CVE-2022-22816, CVE-2022-40303, CVE-2022-41723, CVE-2022-41741, CVE-2022-41742, CVE-2023-3247, CVE-2023-38408, CVE-2023-44466, CVE-2023-50781, CVE-2023-50782, CVE-2024-12084, CV
Debian
CVE-2025-61985: openssh - ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potential...
vendor_debian·2025·CVSS 3.6
CVE-2025-61985 [LOW] CVE-2025-61985: openssh - ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potential...
ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.
Scope: local
bookworm: resolved (fixed in 1:9.2p1-2+deb12u8)
bullseye: open
forky: resolved (fixed in 1:10.1p1-1)
sid: resolved (fixed in 1:10.1p1-1)
trixie: resolved (fixed in 1:10.0p1-7+deb13u1)
OSV
openssh vulnerabilities
osv·2026-03-12·CVSS 3.6
CVE-2026-3497 [LOW] openssh vulnerabilities
openssh vulnerabilities
Jeremy Brown discovered that the OpenSSH GSSAPI Key Exchange incorrectly
handled disconnecting clients. In non-default configurations where the
GSSAPIKeyExchange setting is enabled, a remote attacker could use this
issue to cause OpenSSH to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2026-3497)
David Leadbeater discovered that OpenSSH incorrectly handled certain
control characters in usernames. When untrusted usernames and the
ProxyCommand are being used, an attacker could possibly use this issue to
execute arbitrary code. (CVE-2025-61984)
David Leadbeater discovered that OpenSSH incorrectly handled NULL
characters in ssh:// URIs. When the ProxyCommand is being used, an attacker
could possibly use this issue to execute arbitr
OSV
openssh vulnerabilities
osv·2026-03-12·CVSS 3.6
CVE-2026-3497 [LOW] openssh vulnerabilities
openssh vulnerabilities
USN-8090-1 fixed vulnerabilities in OpenSSH. This update provides the
corresponding updates for Ubuntu 20.04 LTS.
Original advisory details:
Jeremy Brown discovered that the OpenSSH GSSAPI Key Exchange incorrectly
handled disconnecting clients. In non-default configurations where the
GSSAPIKeyExchange setting is enabled, a remote attacker could use this
issue to cause OpenSSH to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2026-3497)
David Leadbeater discovered that OpenSSH incorrectly handled certain
control characters in usernames. When untrusted usernames and the
ProxyCommand are being used, an attacker could possibly use this issue to
execute arbitrary code. (CVE-2025-61984)
David Leadbeater discovered that OpenSSH incor
OSV
CVE-2025-61985: ssh in OpenSSH before 10
osv·2025-10-06·CVSS 3.6
CVE-2025-61985 [LOW] CVE-2025-61985: ssh in OpenSSH before 10
ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.
GHSA
GHSA-8gmf-r74v-362p: ssh in OpenSSH before 10
ghsa_unreviewed·2025-10-06
CVE-2025-61985 [LOW] CWE-158 GHSA-8gmf-r74v-362p: ssh in OpenSSH before 10
ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 172 flaws
blogs_bleepingcomputer·2025-10-14·CVSS 7.8
[HIGH] Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 172 flaws
## Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 172 flaws
## Lawrence Abrams
80 Elevation of Privilege Vulnerabilities
11 Security Feature Bypass Vulnerabilities
31 Remote Code Execution Vulnerabilities
28 Information Disclosure Vulnerabilities
11 Denial of Service Vulnerabilities
10 Spoofing Vulnerabilities
When BleepingComputer reports on the Patch Tuesday security updates, we only count those released today by Microsoft. Therefore, the number of flaws does not include those fixed in Azure, Mariner, Microsoft Edge, and other vulnerabilities earlier this month.
Notably, Windows 10 reaches the end of support today , with this being the last Patch Tuesday where Microsoft provides free security updates to the venerable operating system.
To continue receiving security upd
Bugzilla
CVE-2025-61985 openssh: OpenSSH: Null character in ssh:// URI can lead to code execution via ProxyCommand
bugzilla·2025-10-06·CVSS 3.6
CVE-2025-61985 [LOW] CVE-2025-61985 openssh: OpenSSH: Null character in ssh:// URI can lead to code execution via ProxyCommand
CVE-2025-61985 openssh: OpenSSH: Null character in ssh:// URI can lead to code execution via ProxyCommand
ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 10
Via RHSA-2025:23479 https://access.redhat.com/errata/RHSA-2025:23479
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2025:23480 https://access.redhat.com/errata/RHSA-2025:23480
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2025:23481 https://access.redhat.com/errata/RHSA-2025:23481
---
This issue has been addressed in the following products:
2025-10-06
Published