{ "threat_severity" : "Moderate", "public_date" : "2025-10-06T00:00:00Z", "bugzilla" : { "description" : "openssh: OpenSSH: Null character in ssh:// URI can lead to code execution via ProxyCommand", "id" : "2401962", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2401962" }, "cvss3" : { "cvss3_base_score" : "5.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "status" : "verified" }, "cwe" : "CWE-158", "details" : [ "ssh in OpenSSH before 10.1 allows the '\\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.", "A flaw was found in OpenSSH where the SSH client accepted \\0 (null) characters in ssh:// URIs. When a ProxyCommand is configured, these characters could alter how the command is parsed, potentially leading to code execution depending on how the proxy is set up." ], "statement" : "The impact is MODERATE because it is a critical component used across many Red Hat products.\nExploiting this vulnerability would require a specific configuration where ProxyCommand is enabled and the SSH client processes an untrusted ssh:// URI containing null bytes. Under these conditions, the command parser may misinterpret the URI and execute unintended shell commands.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-12-17T00:00:00Z", "advisory" : "RHSA-2025:23479", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "openssh-0:9.9p1-12.el10_1" }, { "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support", "release_date" : "2026-02-02T00:00:00Z", "advisory" : "RHSA-2026:1678", "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0", "package" : "openssh-0:9.9p1-7.el10_0.1" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-12-17T00:00:00Z", "advisory" : "RHSA-2025:23481", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "openssh-0:8.0p1-27.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-12-17T00:00:00Z", "advisory" : "RHSA-2025:23481", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "openssh-0:8.0p1-27.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-12-17T00:00:00Z", "advisory" : "RHSA-2025:23480", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "openssh-0:8.7p1-47.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-12-17T00:00:00Z", "advisory" : "RHSA-2025:23480", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "openssh-0:8.7p1-47.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2026-02-03T00:00:00Z", "advisory" : "RHSA-2026:1790", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "openssh-0:8.7p1-13.el9_0.1" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-02-03T00:00:00Z", "advisory" : "RHSA-2026:1815", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "openssh-0:8.7p1-30.el9_2.9" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2026-01-22T00:00:00Z", "advisory" : "RHSA-2026:0976", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "openssh-0:8.7p1-38.el9_4.6" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-01-15T00:00:00Z", "advisory" : "RHSA-2026:0693", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "openssh-0:8.7p1-45.el9_6.1" }, { "product_name" : "Red Hat Ceph Storage 7", "release_date" : "2026-02-03T00:00:00Z", "advisory" : "RHSA-2026:1858", "cpe" : "cpe:/a:redhat:ceph_storage:7::el9", "package" : "rhceph/rhceph-7-rhel9:sha256:72a6d9deb9325e43639230b2681640b15bab946025810258796f95315febb7f4" }, { "product_name" : "Red Hat Ceph Storage 8", "release_date" : "2026-02-02T00:00:00Z", "advisory" : "RHSA-2026:1652", "cpe" : "cpe:/a:redhat:ceph_storage:8::el9", "package" : "rhceph/rhceph-8-rhel9:sha256:09aaeba975aa74bdf95d63e5619c0cabb1cd9e1410aa34e7f8ecf24a5e291d1a" }, { "product_name" : "Red Hat Discovery 2", "release_date" : "2026-01-08T00:00:00Z", "advisory" : "RHSA-2026:0414", "cpe" : "cpe:/a:redhat:discovery:2::el9", "package" : "discovery/discovery-server-rhel9:sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543" }, { "product_name" : "Red Hat Update Infrastructure 5", "release_date" : "2026-01-15T00:00:00Z", "advisory" : "RHSA-2026:0685", "cpe" : "cpe:/a:redhat:rhui:5::el9", "package" : "rhui5/installer-rhel9:sha256:e1d64fbd0e4b90259d9fbb94736ed74c7c384d13067c6bbbb107c664683cb1a9" }, { "product_name" : "Red Hat Update Infrastructure 5", "release_date" : "2026-01-15T00:00:00Z", "advisory" : "RHSA-2026:0685", "cpe" : "cpe:/a:redhat:rhui:5::el9", "package" : "rhui5/rhua-rhel9:sha256:4642951a6a57511f8b481a6481fcd417fc7f3de86511cdab28b9b89639c2bdb2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Fix deferred", "package_name" : "openssh", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "openssh", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "rhcos", "cpe" : "cpe:/a:redhat:openshift:4" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-61985\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-61985\nhttps://marc.info/?l=openssh-unix-dev&m=175974522032149&w=2\nhttps://www.openssh.com/releasenotes.html#10.1p1\nhttps://www.openwall.com/lists/oss-security/2025/10/06/1" ], "name" : "CVE-2025-61985", "csaw" : false }