Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
5DescriptionGitHub Advisory
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, OpenC3 COSMOS contains a design flaw in the save_tool_config() function that allows saving tool configuration files at arbitrary locations inside the shared /plugins directory tree by supplying crafted configuration filenames. Although the implementation sufficiently mitigates standard path traversal attacks, by canonicalizing filename to an absolute path, all plugins share this same root directory. That enables users to create arbitrary file structures and overwrite existing configuration files within the shared /plugins directory. This issue has been patched in versions 6.10.5 and 7.0.0-rc3.
AnalysisAI
OpenC3 COSMOS before versions 6.10.5 and 7.0.0-rc3 allows authenticated users to write arbitrary files to the shared /plugins directory via path traversal sequences in tool configuration filenames, potentially overwriting other plugins' configuration files. The vulnerability exists in the save_tool_config() function which canonicalizes filenames but does not restrict writes to plugin-specific subdirectories, enabling lateral movement between plugins. CVSS 4.3 reflects low severity due to authentication requirement and limited scope (integrity only), though real-world impact depends on whether plugin configurations contain sensitive data.
Technical ContextAI
OpenC3 COSMOS is an embedded systems command and telemetry framework written in Ruby/Python that manages tool configurations across a shared plugin directory structure. The vulnerability lies in the save_tool_config() function in local_mode.rb, which accepts user-supplied configuration filenames from the web UI and saves them within OPENC3_LOCAL_MODE_PATH. Although the implementation uses path canonicalization to prevent standard '..' escapes to arbitrary system locations, the shared /plugins root directory is accessible to all plugins. The CWE-23 classification (Relative Path Traversal) applies because the function validates against absolute path traversal but fails to enforce per-plugin directory boundaries. The fix adds regex validation (/[/\]|\.\./) to both the Vue.js frontend SaveConfigDialog component and backend Ruby/Python ToolConfigModel classes, rejecting any configuration or tool names containing path separators or '..' sequences.
RemediationAI
Upgrade to OpenC3 COSMOS 6.10.5 or 7.0.0-rc3 or later immediately. The patches add regex-based input validation to reject tool and configuration names containing forward slashes, backslashes, or '..' sequences at both frontend (Vue.js SaveConfigDialog) and backend (Ruby ToolConfigModel and Python ToolConfigModel) layers. No workarounds are available without code modification. If immediate patching is not possible, disable tool configuration save functionality in the COSMOS web UI or restrict access to the COSMOS interface to trusted operators only via network firewall rules or reverse proxy authentication. Verify the fix by checking that configuration save attempts with names like '../../evil' or 'sub/config' are rejected with 'Invalid config name' errors. See GitHub commits https://github.com/OpenC3/cosmos/commit/9957a9fa460c0c0cf5cdbf6a5931bbdd025246a5 and https://github.com/OpenC3/cosmos/commit/e6efccbd148ba0e3361c5891027f2373aa140d42 for exact code changes.
Critical remote code execution vulnerability in OpenC3 COSMOS v6.0.0's Plugin Management component that allows unauthent
OpenC3 COSMOS versions before v6.0.2 contain hardcoded credentials embedded in the Service Account, allowing unauthentic
Critical authentication bypass vulnerability in OpenC3 COSMOS v6.0.0 caused by weak password requirements that enable br
Critical directory traversal vulnerability in OpenC3 COSMOS versions before 6.1.0 affecting the /script-api/scripts/ end
Directory traversal vulnerability in OpenC3 COSMOS versions before 6.1.0 that allows unauthenticated remote attackers to
A security vulnerability in OpenC3 COSMOS (CVSS 7.5) that allows attackers. Risk factors: public PoC available.
A cross-site scripting (XSS) vulnerability in OpenC3 COSMOS before v6.0.2 allows attackers to execute arbitrary web scri
SQL injection in OpenC3 COSMOS 6.7.0 to 7.0.0-rc2 allows authenticated users with minimal 'tlm' (telemetry viewer) privi
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems.
OpenC3 COSMOS password change functionality accepts valid session tokens in lieu of current passwords, enabling attacker
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems.
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems.
Same weakness CWE-23 – Relative Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27059