CVE-2025-28384

The /script-api/scripts/ endpoint in OpenC3 COSMOS versions prior to 6.1.0 fails to properly sanitize user-supplied path parameters, allowing directory traversal [4]. This permits an attacker to access files outside the intended scripts directory.

The vulnerability can be exploited by sending a crafted HTTP request to the /script-api/scripts/ endpoint with path traversal sequences (e.g., ../). While the endpoint may require authentication in typical deployments, an unauthenticated attacker with network access to the COSMOS web interface can exploit it if the endpoint is exposed.

Successful exploitation enables an attacker to read arbitrary files from the server filesystem, including configuration files, credentials, or other sensitive data. This could lead to further compromise of the COSMOS instance and connected systems.

The issue is fixed in OpenC3 COSMOS version 6.1.0, which includes a patch that disallows parent directory paths in the sanitize_params function [4]. Users are advised to upgrade to the latest version.