CVE-2025-61985

EUVD-2025-32134
ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
mitreCNA
3.6 LOW
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 4%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
openbsdopenssh
𝑥
< 10.1
CNA
Debian logo
Debian Releases
Debian Product
Codename
openssh
bookworm
1:9.2p1-2+deb12u10
fixed
bookworm (security)
1:9.2p1-2+deb12u9
fixed
bullseye
vulnerable
bullseye (security)
1:8.4p1-5+deb11u7
fixed
forky
1:10.3p1-1
fixed
sid
1:10.3p1-2
fixed
trixie
1:10.0p1-7+deb13u4
fixed
trixie (security)
1:10.0p1-7+deb13u2
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
openssh
RHEL 8
0:8.0p1-27.el8_10
fixed
RHEL 9
0:8.7p1-47.el9_7
fixed
openssh-askpass
RHEL 8
0:8.0p1-27.el8_10
fixed
RHEL 9
0:8.7p1-47.el9_7
fixed
openssh-cavs
RHEL 8
0:8.0p1-27.el8_10
fixed
openssh-clients
RHEL 8
0:8.0p1-27.el8_10
fixed
RHEL 9
0:8.7p1-47.el9_7
fixed
openssh-keycat
RHEL 8
0:8.0p1-27.el8_10
fixed
RHEL 9
0:8.7p1-47.el9_7
fixed
openssh-ldap
RHEL 8
0:8.0p1-27.el8_10
fixed
openssh-server
RHEL 8
0:8.0p1-27.el8_10
fixed
RHEL 9
0:8.7p1-47.el9_7
fixed
pam
RHEL 8
0:0.10.3-7.27.el8_10
fixed
RHEL 9
0:0.10.4-5.47.el9_7
fixed
Common Weakness Enumeration
References
https://marc.info/?l=openssh-unix-dev&m=175974522032149&w=2
https://www.openssh.com/releasenotes.html#10.1p1
https://www.openwall.com/lists/oss-security/2025/10/06/1