How to fix CVE-2025-68271?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Monitor vendor channels for patch availability.

Is Ruby affected by CVE-2025-68271?

CVE-2025-68271 presents critical security risk, a eval injection vulnerability rated CVSS 10.0. Successful exploitation could allow attackers to execute arbitrary code or commands on affected systems, potentially leading to full system compromise.

CVE-2025-68271

CRITICAL

2026-01-13 [email protected]

GHSA-w757-4qv9-mghp

10.0

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Jan 13, 2026 - 19:16 nvd

CRITICAL 10.0

Description

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From 5.0.0 to 6.10.1, OpenC3 COSMOS contains a critical remote code execution vulnerability reachable through the JSON-RPC API. When a JSON-RPC request uses the string form of certain APIs, attacker-controlled parameter text is parsed into values using String#convert_to_value. For array-like inputs, convert_to_value executes eval(). Because the cmd code path parses the command string before calling authorize(), an unauthenticated attacker can trigger Ruby code execution even though the request ultimately fails authorization (401). This vulnerability is fixed in 6.10.2.

Analysis

OpenC3 COSMOS (space mission control software, 5.0.0-6.10.1) has unauthenticated RCE through the JSON-RPC API. String parameters are evaluated as Ruby code via convert_to_value. Maximum CVSS 10.0 with scope change.

Technical Context

The JSON-RPC API uses String#convert_to_value to parse string parameters, which evaluates them as Ruby code (CWE-95). An unauthenticated attacker can inject arbitrary Ruby expressions that execute on the COSMOS server.

Affected Products

OpenC3 COSMOS 5.0.0 through 6.10.1

Remediation

Update COSMOS immediately. Restrict JSON-RPC API access to authenticated, trusted users only.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.3

CVSS: +50

POC: 0

CVE-2025-68271 vulnerability details – vuln.today

Back

CVE-2025-68271

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-68271

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code