openc3-api Vulnerable to Unauthenticated Remote Code Execution

GHSA-w757-4qv9-mghp · CVE-2025-68271

Published Jan 13, 2026 · Modified Feb 3, 2026

Description

Summary

OpenC3 COSMOS contains a critical remote code execution vulnerability reachable through the JSON-RPC API. When a JSON-RPC request uses the string form of certain APIs, attacker-controlled parameter text is parsed into values using String#convert_to_value. For array-like inputs, convert_to_value executes eval().

Because the cmd code path parses the command string before calling authorize(), an unauthenticated attacker can trigger Ruby code execution even though the request ultimately fails authorization (401).

References

WEB https://github.com/OpenC3/cosmos/security/advisories/GHSA-w757-4qv9-mghp
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-68271
WEB https://github.com/OpenC3/cosmos/commit/01e9fbc5e66e9a2500b71a75a44775dd1fc2d1de
PACKAGE https://github.com/OpenC3/cosmos
WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/openc3/CVE-2025-68271.yml

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes