CVE-2025-28382: 
Ruby vulnerability analysis and mitigation

A directory traversal vulnerability was discovered in OpenC3 COSMOS version 6.0.0, specifically affecting the openc3-api/tables endpoint. The vulnerability was assigned CVE-2025-28382 and was publicly disclosed on June 13, 2025. This security flaw affects the core functionality of OpenC3 COSMOS, a command and control software suite designed for space mission operations (OpenC3 Website, VisionSpace Assessment).

The vulnerability exists in the openc3-api/tables endpoint which is responsible for managing and editing binary files according to their definitions. The flaw allows authenticated attackers to traverse directory paths, enabling unauthorized access to files outside the intended directory structure. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating a high-severity issue with network accessibility and no user interaction required (NVD Database).

The vulnerability allows authenticated attackers to read, delete, and copy arbitrary files within the container. Since the Docker container runs with root privileges by default, there are no restrictions on which files can be accessed. This could lead to unauthorized access to sensitive system files, potential information disclosure, and system compromise (VisionSpace Assessment).

Security researchers recommend implementing proper input sanitization for all user input, including parameters obtained directly from URLs. Additionally, user file read/write operations should be restricted to only the required folders within the host. It is also advised to configure the Docker container to run with restricted privileges rather than root by default (VisionSpace Assessment).