Headline
GHSA-w757-4qv9-mghp: openc3-api Vulnerable to Unauthenticated Remote Code Execution
Summary
OpenC3 COSMOS contains a critical remote code execution vulnerability reachable through the JSON-RPC API. When a JSON-RPC request uses the string form of certain APIs, attacker-controlled parameter text is parsed into values using String#convert_to_value. For array-like inputs, convert_to_value executes eval().
Because the cmd code path parses the command string before calling authorize(), an unauthenticated attacker can trigger Ruby code execution even though the request ultimately fails authorization (401).
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-68271
openc3-api Vulnerable to Unauthenticated Remote Code Execution
Critical severity GitHub Reviewed Published Jan 13, 2026 in OpenC3/cosmos • Updated Jan 13, 2026
Package
Affected versions
>= 5.0.6, < 6.10.2
Summary
OpenC3 COSMOS contains a critical remote code execution vulnerability reachable through the JSON-RPC API. When a JSON-RPC request uses the string form of certain APIs, attacker-controlled parameter text is parsed into values using String#convert_to_value. For array-like inputs, convert_to_value executes eval().
Because the cmd code path parses the command string before calling authorize(), an unauthenticated attacker can trigger Ruby code execution even though the request ultimately fails authorization (401).
References
- GHSA-w757-4qv9-mghp
- OpenC3/cosmos@01e9fbc
Published to the GitHub Advisory Database
Jan 13, 2026
Last updated
Jan 13, 2026