CVE-2025-68271
Unknown Unknown - Not Provided
Critical Remote Code Execution in OpenC3 COSMOS JSON-RPC API

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: GitHub, Inc.

Description
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From 5.0.0 to 6.10.1, OpenC3 COSMOS contains a critical remote code execution vulnerability reachable through the JSON-RPC API. When a JSON-RPC request uses the string form of certain APIs, attacker-controlled parameter text is parsed into values using String#convert_to_value. For array-like inputs, convert_to_value executes eval(). Because the cmd code path parses the command string before calling authorize(), an unauthenticated attacker can trigger Ruby code execution even though the request ultimately fails authorization (401). This vulnerability is fixed in 6.10.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-14
NVD
CVE-2025-68271
EUVD
EUVD-2026-2030
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
openc3 cosmos From 5.0.6 (inc) to 6.10.1 (inc)
openc3 cosmos 6.10.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-68271 is a critical remote code execution vulnerability in OpenC3 COSMOS versions 5.0.0 to 6.10.1. It occurs because certain JSON-RPC API calls accept attacker-controlled text parameters that are parsed using Ruby's String#convert_to_value method. For array-like inputs, this method uses eval(), which executes the input as code. The vulnerability is severe because the command string is parsed and evaluated before authorization checks, allowing an unauthenticated attacker to execute arbitrary Ruby code remotely, even though the request eventually fails authorization. [1]

Impact Analysis

This vulnerability can have a critical impact as it allows remote attackers to execute arbitrary code on the affected system without any privileges or user interaction. This can lead to full system compromise, including unauthorized access, data theft, data modification, and denial of service. The CVSS score of 10.0 reflects its high severity, indicating that confidentiality, integrity, and availability of the system can all be severely affected. [1]

Detection Guidance

Detection can focus on monitoring JSON-RPC API requests to OpenC3 COSMOS versions 5.0.6 through 6.10.1 for suspicious or malformed parameter text that might be parsed using eval(). Specifically, look for JSON-RPC calls containing array-like inputs with unusual Ruby code or eval patterns. Network traffic inspection tools or API logging can be used to identify such requests. However, no specific detection commands are provided in the available resources. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade OpenC3 COSMOS to version 6.10.2 or later, where this vulnerability is fixed. Until the upgrade can be applied, restrict or block access to the JSON-RPC API from untrusted networks to prevent unauthenticated attackers from exploiting the vulnerability. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68271. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart