CVE-2025-61985

Published Oct 6, 2025

Last updated 9 days ago

CVSS low 3.6
SSH
Port (22)

Overview

Description
ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.
Source
cve@mitre.org
NVD status
Deferred

Risk scores

CVSS 3.1

Type
Secondary
Base score
3.6
Impact score
2.5
Exploitability score
1
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Severity
LOW

Weaknesses

cve@mitre.org
CWE-158

Social media

Hype score
Not currently trending

  1. New Flatcar Alpha, Beta and Stable releases now available! ๐Ÿš€ /etc is now shipped as #systemd confext ๐Ÿ”’ CVE fixes & security patches: CVE-2025-61984 and CVE-2025-61985 for OpenSSH on Stable ๐Ÿ“œ Release notes at the usual spot: https://t.co/rZjTiO6fY2

    @flatcar

    9 Mar 2026

    126 Impressions

    3 Retweets

    7 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  2. ๐Ÿšจ Critical OpenSSH patch for #Fedora42: CVE-2025-61985 & CVE-2025-61984. Input validation flaws in usernames/URLs = risk of DoS or RCE. Read more: ๐Ÿ‘‰ https://t.co/lZhrHlYlfJ #Security https://t.co/g26IuY87W2

    @Cezar_H_Linux

    13 Jan 2026

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Oracle releases Oracle Linux 9 and 10 SSH security updates, fixing CVE-2025-61984 and CVE-2025-61985 that affect username and URL-string handling. #Vulnerability https://t.co/uueYY48hm9

    @threatcluster

    21 Dec 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Technical deep-dive: OpenSSH security update for the #SUSE ecosystem. We've analyzed the new patch for CVE-2025-61984 and CVE-2025-61985. Read more: ๐Ÿ‘‰ https://t.co/nQgPUnxAn0 #Security https://t.co/zN9eFCyovG

    @Cezar_H_Linux

    17 Nov 2025

    38 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Related CVEs

  1. Fortinet FortiClient EMS Improper Access Control Vulnerabilityโ€ขCVE-2026-35616
  2. OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.โ€ขCVE-2026-35414
  3. In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).โ€ขCVE-2026-35385
  4. A malicious SCP server can send unexpected paths that could make the client application override local files outside of working directory. This could be misused to create malicious executable or configuration files and make the user execute them under specific consequences. This is the same issue as in OpenSSH, tracked as CVE-2019-6111.โ€ขCVE-2026-0964
  5. Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.โ€ขCVE-2026-3497

References

Sources include official advisories and independent security research.