Primary

Context

OpenC3 COSMOS Remote Code Execution Vulnerability via JSON-RPC API

Vulnerability

A critical remote code execution vulnerability has been identified in OpenC3 COSMOS versions 5.0.0 prior to 6.10.1. This vulnerability is accessible through the JSON-RPC API. The issue arises when JSON-RPC requests utilize the string format of certain APIs, allowing attacker-controlled parameter text to be parsed into values using the String#convert_to_value method. For inputs resembling arrays, this method executes eval(). The vulnerability is exploited by sending a crafted JSON-RPC request that takes advantage of the string parsing and eval() execution, leading to unauthorized Ruby code execution on the server.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the server where OpenC3 COSMOS is running.

Remediation

Users can upgrade to OpenC3 COSMOS version 6.10.2 to address this vulnerability.

Added: Jan 13, 2026, 9:21 PM

Updated: Jan 13, 2026, 9:21 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.4

remediation

7.7

relevance

2.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.4

remediation

7.7

relevance

2.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenC3 COSMOS Remote Code Execution Vulnerability via JSON-RPC API

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating