Advisories for Gem/Openc3 package

2026

openc3-api Vulnerable to Unauthenticated Remote Code Execution

OpenC3 COSMOS contains a critical remote code execution vulnerability reachable through the JSON-RPC API. When a JSON-RPC request uses the string form of certain APIs, attacker-controlled parameter text is parsed into values using String#convert_to_value. For array-like inputs, convert_to_value executes eval(). Because the cmd code path parses the command string before calling authorize(), an unauthenticated attacker can trigger Ruby code execution even though the request ultimately fails authorization (401).

2024

OpenC3 stores passwords in clear text (`GHSL-2024-129`)

OpenC3 COSMOS stores the password of a user unencrypted in the LocalStorage of a web browser. This makes the user password susceptible to exfiltration via Cross-site scripting (see GHSL-2024-128). Note: This CVE only affects Open Source edition, and not OpenC3 COSMOS Enterprise Edition

OpenC3 Path Traversal via screen controller (`GHSL-2024-127`)

A path traversal vulnerability inside of LocalMode's open_local_file method allows an authenticated user with adequate permissions to download any .txt via the ScreensController#show on the web server COSMOS is running on (depending on the file permissions). Note: This CVE affects all OpenC3 COSMOS Editions

OpenC3 Cross-site Scripting in Login functionality (`GHSL-2024-128`)

The login functionality contains a reflected cross-site scripting (XSS) vulnerability. Note: This CVE only affects Open Source Edition, and not OpenC3 COSMOS Enterprise Edition