CVE-2025-68271
📋 TL;DR
OpenC3 COSMOS versions 5.0.0 through 6.10.1 contain a critical remote code execution vulnerability in the JSON-RPC API. Unauthenticated attackers can execute arbitrary Ruby code by sending specially crafted requests that trigger eval() via the String#convert_to_value method. All systems running affected versions with the JSON-RPC API exposed are at risk.
💻 Affected Systems
- OpenC3 COSMOS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, steal sensitive data, install malware, pivot to other systems, and maintain persistent access.
Likely Case
Remote code execution leading to data exfiltration, service disruption, and potential lateral movement within the network.
If Mitigated
Limited impact if proper network segmentation and access controls prevent unauthorized access to the JSON-RPC API.
🎯 Exploit Status
The vulnerability is straightforward to exploit once the attack vector is understood. No authentication is required to trigger the code execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.10.2
Vendor Advisory: https://github.com/OpenC3/cosmos/security/advisories/GHSA-w757-4qv9-mghp
Restart Required: Yes
Instructions:
1. Update OpenC3 COSMOS to version 6.10.2 or later. 2. Restart all COSMOS services. 3. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to the JSON-RPC API to only trusted IP addresses or internal networks.
Use firewall rules to block external access to the JSON-RPC port (default varies by configuration)
API Authentication Enforcement
allImplement additional authentication layers before requests reach the vulnerable code path.
Configure reverse proxy with authentication (e.g., nginx with basic auth or OAuth)
🧯 If You Can't Patch
- Immediately restrict network access to the JSON-RPC API using firewall rules or network segmentation.
- Monitor logs for suspicious JSON-RPC requests and implement rate limiting or request filtering.
🔍 How to Verify
Check if Vulnerable:
Check the OpenC3 COSMOS version. If it's between 5.0.0 and 6.10.1 inclusive, the system is vulnerable.Check Version:
Check the COSMOS version in the web interface or configuration files, or run: ruby -ropenc3 -e 'puts OpenC3::VERSION' if availableVerify Fix Applied:
Confirm the version is 6.10.2 or later and test that JSON-RPC API functions normally without allowing unauthorized code execution.📡 Detection & Monitoring
Log Indicators:
- Unusual JSON-RPC requests with array-like parameters, failed authentication attempts (401) followed by eval-like activity in logs
Network Indicators:
- Unusual traffic to JSON-RPC API endpoints from unauthorized sources, spikes in request volume
SIEM Query:
source="cosmos" AND (json_rpc OR api) AND (eval OR convert_to_value OR unauthorized)