What is the CVSS score of CVE-2025-68271?

CVE-2025-68271 has a CVSS 3.1 base score of 10.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.3%.

Which versions of Ruby are affected by CVE-2025-68271?

CVE-2025-68271 presents critical security risk, a eval injection vulnerability rated CVSS 10.0.. A patch is available.

How to fix or mitigate CVE-2025-68271?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Monitor vendor channels for patch availability.

Ruby CVE-2025-68271

CRITICAL

Eval Injection (CWE-95)

2026-01-13 security-advisories@github.com

GHSA-w757-4qv9-mghp

Ruby RCE

10.0

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

10.0 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Jan 13, 2026 - 19:16 nvd

CRITICAL 10.0

DescriptionGitHub Advisory

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From 5.0.0 to 6.10.1, OpenC3 COSMOS contains a critical remote code execution vulnerability reachable through the JSON-RPC API. When a JSON-RPC request uses the string form of certain APIs, attacker-controlled parameter text is parsed into values using String#convert_to_value. For array-like inputs, convert_to_value executes eval(). Because the cmd code path parses the command string before calling authorize(), an unauthenticated attacker can trigger Ruby code execution even though the request ultimately fails authorization (401). This vulnerability is fixed in 6.10.2.

AnalysisAI

OpenC3 COSMOS (space mission control software, 5.0.0-6.10.1) has unauthenticated RCE through the JSON-RPC API. String parameters are evaluated as Ruby code via convert_to_value. Maximum CVSS 10.0 with scope change.

Technical ContextAI

The JSON-RPC API uses String#convert_to_value to parse string parameters, which evaluates them as Ruby code (CWE-95). An unauthenticated attacker can inject arbitrary Ruby expressions that execute on the COSMOS server.

Affected ProductsAI

OpenC3 COSMOS 5.0.0 through 6.10.1

RemediationAI

Update COSMOS immediately. Restrict JSON-RPC API access to authenticated, trusted users only.

CVE-2025-68271 vulnerability details – vuln.today

Back

Ruby CVE-2025-68271

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code