CVE-2025-61985: 
OpenSSH vulnerability analysis and mitigation

CVE-2025-61985 is a security vulnerability discovered in OpenSSH versions before 10.1, disclosed on October 6, 2025. The vulnerability allows the '\0' (null) character in ssh:// URIs, which could potentially lead to code execution when a ProxyCommand is used (NVD, OpenSSH Release).

The vulnerability has been assigned a CVSS v3.1 Base Score of 3.6 (LOW) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N. The issue is related to improper neutralization of null byte characters (CWE-158) in URI handling. The vulnerability specifically affects the SSH client's handling of ProxyCommand configurations when processing ssh:// URIs containing null bytes (NVD, Red Hat).

The impact is considered LOW to MODERATE as exploitation could lead to code execution in specific configurations. The vulnerability requires a specific configuration where ProxyCommand is enabled and the SSH client processes an untrusted ssh:// URI containing null bytes. Under these conditions, the command parser may misinterpret the URI and execute unintended shell commands (Red Hat).

The vulnerability has been fixed in OpenSSH 10.1. The fix includes disallowing control characters in usernames passed via the commandline or expanded using %-sequences from the configuration file, and disallowing \0 characters in ssh:// URIs. For systems that cannot immediately upgrade, it is recommended to avoid using untrusted inputs to construct SSH command lines (OpenSSH Release).

The issue is considered "minor" by OpenSSH developers, as noted in Ubuntu's security assessment. The vulnerability was reported by David Leadbeater and was addressed as part of the OpenSSH 10.1 release (Ubuntu).