CRITICAL 9.1 RubyGems
OpenC3 COSMOS Vulnerable to Directory Traversal via /script-api/scripts/ endpoint
GHSA-p67j-387g-75wc · CVE-2025-28384
Published · Modified
Description
An issue in the /script-api/scripts/ endpoint of OpenC3 COSMOS 6.0.0 allows attackers to execute a directory traversal.
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-28384
- WEB https://github.com/OpenC3/cosmos/pull/1828
- WEB https://github.com/OpenC3/cosmos/pull/1828/commits/fc7e11310a7cdf9f1939886e1b29009db4d4b718
- PACKAGE https://github.com/OpenC3/cosmos
- WEB https://github.com/OpenC3/cosmos/releases/tag/v6.1.0
- WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/openc3-cosmos-tool-iframe/CVE-2025-28384.yml
- WEB https://openc3.com
- WEB https://visionspace.com/openc3-cosmos-a-security-assessment-of-an-open-source-mission-framework
Ready to move
Start Securing
Free, no credit card | First findings in minutes