CVE-2025-68271 (openc3): openc3-api Vulnerable to Unauthenticated Remote Code Execution
    
    
      
        







...

The RubyLA blog offers insights, tutorials, and community updates for Ruby developers in Los Angeles and beyond. Developers can explore Ruby language features, web development frameworks, and best practices for building Ruby applications. Additionally, the blog covers Ruby meetups, events, and job opportunities in the Los Angeles area, fostering collaboration and networking within the local Ruby community.

RUBYLAND

OpenC3 COSMOS has a critical remote code execution vulnerability (CVE-2025-68271) in its JSON-RPC API. The flaw allows unauthenticated attackers to execute arbitrary Ruby code through the String#convert_to_value method, which uses eval() on array-like inputs. The vulnerability is triggered before authorization checks, enabling code execution even when requests fail authentication. Versions below 5.0.6 are unaffected, while versions 6.10.2 and above contain the patch.