CVE-2025-68271

Name of the Vulnerable Software and Affected Versions OpenC3 COSMOS versions 5.0.0 through 6.10.1

Description OpenC3 COSMOS provides functionality to send commands to and receive data from embedded systems. Versions 5.0.0 through 6.10.1 contain a remote code execution issue reachable through the JSON-RPC API. When processing JSON-RPC requests, the String#convert to value function is used to parse parameter text into values. For array-like inputs, this function executes eval(). The cmd code path parses the command string before authorization, allowing an unauthenticated attacker to trigger Ruby code execution, even if the request ultimately fails authorization. The vulnerable function is convert to value(). The API uses the string form of certain APIs. The vulnerable parameter is attacker-controlled parameter text.

Recommendations Update to version 6.10.2 or later.