CVE-2025-28382
Description
An issue in the openc3-api/tables endpoint of OpenC3 COSMOS before 6.1.0 allows attackers to execute a directory traversal.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A directory traversal vulnerability in the openc3-api/tables endpoint of OpenC3 COSMOS before 6.1.0 can be exploited to read or write files outside the intended directory, allowing an attacker to gain unauthorized access.
Vulnerability
Overview
The vulnerability lies in the openc3-api/tables endpoint of OpenC3 COSMOS, an open-source command and control framework for embedded systems and satellites [2]. The issue allows a directory traversal attack, meaning an attacker can manipulate file paths to access files outside the intended directory [1].
Exploitation and
Attack Surface
Directory traversal can be triggered without authentication in certain configurations depending on how the API is exposed. The vulnerability is present in versions before 6.1.0, which added a fix by disallowing parent directory paths in the sanitize_params function [4].
Impact
An attacker exploiting this vulnerability could read sensitive files (e.g., configuration files containing credentials) or possibly write files to unintended locations, depending on how the endpoint processes file operations. This could lead to further compromise of the system, such as obtaining session tokens or executing arbitrary code.
Mitigation
The issue is fixed in OpenC3 COSMOS version 6.1.0, released with a security patch that specifically disallows parent directory paths in the sanitize_params function [4]. Users are strongly recommended to update to this version or later. No workarounds were provided for earlier versions.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- OpenC3/OpenC3 COSMOSdescription
- ghsa-coords
Patches
1fc7e11310a7cDisallow parent dir path in sanitize_params
2 files changed · +8 −2
openc3-cosmos-cmd-tlm-api/app/controllers/application_controller.rb+4 −1 modified@@ -57,7 +57,7 @@ def authorization(permission, target_name: nil, perform_render: true) end end - def sanitize_params(param_list, require_params: true, allow_forward_slash: false) + def sanitize_params(param_list, require_params: true, allow_forward_slash: false, allow_parent_dir: false) if require_params result = params.require(param_list) else @@ -78,6 +78,9 @@ def sanitize_params(param_list, require_params: true, allow_forward_slash: false else value = arg.encode(Encoding::UTF_8, invalid: :replace, undef: :replace, replace: "�").strip.tr("\u{202E}%$|:;/\t\r\n\\", "-") end + if not allow_parent_dir + value = value.gsub(/(\.|%2e){2}/i, "-") + end if value != arg render json: { status: 'error', message: "Invalid #{param_list[index]}: #{arg}" }, status: 400 return false
openc3-cosmos-script-runner-api/app/controllers/application_controller.rb+4 −1 modified@@ -68,7 +68,7 @@ def authorization(permission, target_name: nil) return true end - def sanitize_params(param_list, require_params: true, allow_forward_slash: false) + def sanitize_params(param_list, require_params: true, allow_forward_slash: false, allow_parent_dir: false) if require_params result = params.require(param_list) else @@ -89,6 +89,9 @@ def sanitize_params(param_list, require_params: true, allow_forward_slash: false else value = arg.encode(Encoding::UTF_8, invalid: :replace, undef: :replace, replace: "�").strip.tr("\u{202E}%$|:;/\t\r\n\\", "-") end + if not allow_parent_dir + value = value.gsub(/(\.|%2e){2}/i, "-") + end if value != arg render json: { status: 'error', message: "Invalid #{param_list[index]}: #{arg}" }, status: 400 return false
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-cf8v-5mrc-jv7fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-28382ghsaADVISORY
- github.com/OpenC3/cosmos/commit/fc7e11310a7cdf9f1939886e1b29009db4d4b718ghsaWEB
- github.com/OpenC3/cosmos/pull/1828ghsaWEB
- github.com/OpenC3/cosmos/releases/tag/v6.1.0ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/openc3-cosmos-tool-iframe/CVE-2025-28382.ymlghsaWEB
- openc3.comghsaWEB
- visionspace.com/openc3-cosmos-a-security-assessment-of-an-open-source-mission-frameworkghsaWEB
- openc3.commitre
- visionspace.com/openc3-cosmos-a-security-assessment-of-an-open-source-mission-framework/mitre
News mentions
0No linked articles in our index yet.