10

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-68271

CVE-2025-68271: Unauthenticated Remote Code Execution in openc3-api

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From 5.0.0 to 6.10.1, OpenC3 COSMOS contains a critical remote code execution vulnerability reachable through the JSON-RPC API. When a JSON-RPC request uses the string form of certain APIs, attacker-controlled parameter text is parsed into values using String#convert_to_value. For array-like inputs, convert_to_value executes eval(). Because the cmd code path parses the command string before calling authorize(), an unauthenticated attacker can trigger Ruby code execution even though the request ultimately fails authorization (401). This vulnerability is fixed in 6.10.2.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-68271

CVE-2025-68271:

10

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
openc3	rubygems	>= 5.0.6, < 6.10.2	6.10.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a classic 'eval injection' found in the OpenC3 COSMOS API server. The security advisory and the provided patch point directly to the root cause. The commit 01e9fbc5e66e9a2500b71a75a44775dd1fc2d1de modifies two files, one for Ruby and one for Python. The vulnerability description specifically mentions that the cmd code path uses String#convert_to_value which executes eval(). Analyzing the patch for openc3/lib/openc3/core_ext/string.rb confirms this. The convert_to_value method on the Ruby String class explicitly used eval(self) if the string was determined to be an array-like structure. This is the vulnerable function. An unauthenticated attacker could send a JSON-RPC request with a specially crafted string parameter that would be passed to this function, leading to remote code execution. The fix involves replacing the dangerous eval() call with YAML.safe_load(), which is designed to safely parse data structures from strings. The corresponding Python file was also updated for consistency to handle object-like strings, but it was already using the safer ast.literal_eval, so the primary vulnerability was in the Ruby implementation.

Vulnerable functions

String.convert_to_value

openc3/lib/openc3/core_ext/string.rb

The function `convert_to_value` in `openc3/lib/openc3/core_ext/string.rb` was vulnerable to remote code execution. It used `eval()` to parse string inputs that were identified as arrays (`is_array?`). An attacker could craft a string that looked like an array but contained arbitrary Ruby code, which would be executed by the `eval()` call. The patch replaces the unsafe `eval(self)` with `YAML.safe_load(self)`, which safely parses the string without executing code.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

10

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-68271: Unauthenticated Remote Code Execution in openc3-api

CVE-2025-68271:

10

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

10

10

CVE-2025-68271: Unauthenticated Remote Code Execution in openc3-api

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI