Opensatkit
CVE-2025-70085
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
An issue was discovered in OpenSatKit 2.2.1. The EventErrStr buffer has a fixed size of 256 bytes. The code uses sprintf to format two filenames (Source1Filename and the string returned by FileUtil_FileStateStr) into this buffer without any length checking and without using bounded format specifiers such as %.*s. If the filename length approaches OS_MAX_PATH_LEN (commonly 64-256 bytes), the combined formatted string together with constant text can exceed 256 bytes, resulting in a stack buffer overflow. Such unsafe sprintf calls are scattered across multiple functions in file.c, including FILE_ConcatenateCmd() and ConcatenateFiles(), all of which fail to validate the output length.
AnalysisAI
Stack buffer overflow in OpenSatKit 2.2.1 satellite ground station software. The ErrStr buffer overflows when formatting filenames. Space infrastructure vulnerability.
Technical ContextAI
CWE-121 stack overflow in EventErrStr (256-byte buffer). sprintf formats two filenames that can exceed the buffer.
RemediationAI
Update OpenSatKit. Use snprintf with size limits.
More in Opensatkit
View allAn issue was discovered in OpenSatKit 2.2.1. The DirName field in the telecommand is provided by the ground segment and
Directory traversal vulnerability in OpenSatKit 2.2.1 allows attackers to gain access to sensitive information or delete
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today