diff --git a/openssh-8.7p1-reject-null-char-in-url-string.patch b/openssh-8.7p1-reject-null-char-in-url-string.patch
new file mode 100644
index 0000000..146bf12
--- /dev/null
+++ b/openssh-8.7p1-reject-null-char-in-url-string.patch
@@ -0,0 +1,15 @@
+diff --color -ruNp a/misc.c b/misc.c
+--- a/misc.c	2025-12-09 17:16:21.637368818 +0100
++++ b/misc.c	2025-12-09 17:48:22.679192853 +0100
+@@ -936,9 +936,10 @@ urldecode(const char *src)
+ 			*dst++ = ' ';
+ 			break;
+ 		case '%':
++			/* note: don't allow \0 characters */
+ 			if (!isxdigit((unsigned char)src[1]) ||
+ 			    !isxdigit((unsigned char)src[2]) ||
+-			    (ch = hexchar(src + 1)) == -1) {
++			    (ch = hexchar(src + 1)) == -1 || ch == 0) {
+ 				free(ret);
+ 				return NULL;
+ 			}
diff --git a/openssh.spec b/openssh.spec
index 9f5afa0..41f53c0 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -298,6 +298,8 @@ Patch1021: openssh-8.0p1-upstream-ignore-SIGPIPE.patch
 Patch1022: openssh-8.0p1-CVE-2025-26465.patch
 # upstream 35d5917652106aede47621bb3f64044604164043
 Patch1023: openssh-8.0p1-reject-cntrl-chars-in-username.patch
+# upstream 43b3bff47bb029f2299bacb6a36057981b39fdb0
+Patch1024: openssh-8.7p1-reject-null-char-in-url-string.patch
 
 License: BSD
 Group: Applications/Internet
@@ -548,6 +550,7 @@ popd
 %patch1021 -p1 -b .ignore-SIGPIPE
 %patch1022 -p2 -b .cve-2025-26465
 %patch1023 -p1 -b .reject-cntrl-chars-in-username
+%patch1024 -p1 -b .reject-null-char-in-url-string
 
 autoreconf
 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@@ -836,6 +839,8 @@ getent passwd sshd >/dev/null || \
 * Wed Dec 10 2025 Zoltan Fridrich <zfridric@redhat.com> - 8.0p1-27
 - CVE-2025-61984: Reject usernames with control characters
   Resolves: RHEL-128400
+- CVE-2025-61985: Reject URL-strings with NULL characters
+  Resolves: RHEL-128390
 
 * Wed Aug 20 2025 Antonio Vieiro <avieirov@redhat.com> - 8.0p1-26
 - Fix missing invalid error code checks in OpenSSH. It prevents