CVE-2025-28384
📋 TL;DR
This directory traversal vulnerability in OpenC3 COSMOS allows attackers to access files outside the intended directory via the /script-api/scripts/ endpoint. Attackers could read sensitive system files, potentially leading to information disclosure or further exploitation. All OpenC3 COSMOS deployments before version 6.1.0 are affected.
💻 Affected Systems
- OpenC3 COSMOS
📦 What is this software?
Cosmos by Openc3
Cosmos by Openc3
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through reading sensitive configuration files, credentials, or executing arbitrary code by accessing critical system files.
Likely Case
Information disclosure of sensitive configuration files, scripts, or credentials stored in accessible directories.
If Mitigated
Limited impact with proper network segmentation and access controls preventing external access to vulnerable endpoints.
🎯 Exploit Status
Directory traversal vulnerabilities typically have low exploitation complexity and can be exploited with simple HTTP requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.1.0
Vendor Advisory: https://github.com/OpenC3/cosmos/releases/tag/v6.1.0
Restart Required: Yes
Instructions:
1. Backup your current configuration and data. 2. Update OpenC3 COSMOS to version 6.1.0 or later. 3. Restart the COSMOS services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to the /script-api/scripts/ endpoint using firewall rules or network segmentation.
Web Application Firewall
allImplement WAF rules to block directory traversal patterns in requests to the vulnerable endpoint.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the COSMOS instance from untrusted networks.
- Deploy a reverse proxy or WAF with rules to detect and block directory traversal attempts.
🔍 How to Verify
Check if Vulnerable:
Check if your OpenC3 COSMOS version is below 6.1.0. Test by attempting to access files outside the intended directory via the /script-api/scripts/ endpoint.Check Version:
Check the COSMOS version in the web interface or configuration files, or run: docker images | grep openc3/cosmosVerify Fix Applied:
After updating to 6.1.0 or later, verify that directory traversal attempts to the /script-api/scripts/ endpoint are properly blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /script-api/scripts/ containing '../' or similar traversal patterns
- Access denied errors for traversal attempts
- Unusual file access patterns
Network Indicators:
- HTTP requests with directory traversal sequences in URL parameters or paths
- Multiple failed attempts to access restricted paths
SIEM Query:
source="web_logs" AND (url_path="/script-api/scripts/" AND (url_query="*../*" OR url_path="*../*"))🔗 References
- https://github.com/OpenC3/cosmos/pull/1828
- https://github.com/OpenC3/cosmos/pull/1828/commits/fc7e11310a7cdf9f1939886e1b29009db4d4b718
- https://github.com/OpenC3/cosmos/releases/tag/v6.1.0
- https://openc3.com/
- https://visionspace.com/openc3-cosmos-a-security-assessment-of-an-open-source-mission-framework/
