CVE-2025-61985
LOWOpenSSH < 10.1 - Remote Code Execution via Null Byte in ssh:// URI
Title source: llmDescription
ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.
References (3)
Core 3
Core References
Various Sources
https://www.openssh.com/releasenotes.html#10.1p1
Scores
CVSS v3
3.6
EPSS
0.0002
EPSS Percentile
4.7%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-158
Status
published
Products (1)
OpenBSD/OpenSSH
< 10.1
Published
Oct 06, 2025
Tracked Since
Feb 18, 2026