Remote Code Execution Vulnerability in OpenC3 COSMOS by OpenC3
CVE-2025-68271

10CRITICAL

Key Information:

Vendor: Openc3
Status: Cosmos
Vendor: CVE Published:; 13 January 2026

What is CVE-2025-68271?

OpenC3 COSMOS, versions 5.0.0 to 6.10.1, has a remote code execution vulnerability that can be exploited via the JSON-RPC API. This issue arises when certain API requests allow attacker-controlled parameter text to be parsed. The vulnerable method, String#convert_to_value, can execute arbitrary Ruby code due to the use of the eval() function. An unauthenticated attacker may exploit this flaw to run commands on the system before the authorization check occurs. This vulnerability has been addressed in version 6.10.2.

Affected Version(s)

cosmos >= 5.0.0, < 6.10.2

References

https://github.com/OpenC3/cosmos/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 13, 2026
Vulnerability Reserved
Dec 16, 2025

CVE-2025-68271 Data

JSON

Openc3

What is CVE-2025-68271?

Affected Version(s)

References

CVSS V3.1

Timeline