CVE-2025-61985

NameCVE-2025-61985
Descriptionssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4584-1
Debian Bugs1117530

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openssh (PTS)bullseye1:8.4p1-5+deb11u3vulnerable
bullseye (security)1:8.4p1-5+deb11u7fixed
bookworm1:9.2p1-2+deb12u10fixed
bookworm (security)1:9.2p1-2+deb12u9fixed
trixie1:10.0p1-7+deb13u4fixed
trixie (security)1:10.0p1-7+deb13u2fixed
forky1:10.3p1-1fixed
sid1:10.3p1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
opensshsourcebullseye1:8.4p1-5+deb11u7DLA-4584-1
opensshsourcebookworm1:9.2p1-2+deb12u8
opensshsourcetrixie1:10.0p1-7+deb13u1
opensshsource(unstable)1:10.1p1-11117530

Notes

https://www.openwall.com/lists/oss-security/2025/10/06/1
https://github.com/openssh/openssh-portable/commit/43b3bff47bb029f2299bacb6a36057981b39fdb0 (V_10_1_P1)
Search for package or bug name: Reporting problems