CVE-2025-28384: 
Ruby vulnerability analysis and mitigation

An issue in the /script-api/scripts/ endpoint of OpenC3 COSMOS 6.0.0 allows attackers to execute a directory traversal. The vulnerability was discovered and disclosed on June 13, 2025 (MITRE, NVD).

The vulnerability exists in the Script Runner tool's API endpoint /script-api/scripts/ which allows for the creation and modification of user-defined scripts. The file path in the API endpoint is not properly sanitized, enabling authenticated users to traverse directories using path traversal sequences (../../) to access arbitrary files within the Docker container. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 CRITICAL with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (VisionSpace).

Due to the Docker container running as root by default, the vulnerability allows authenticated users to read any arbitrary file within the container's filesystem. This could lead to exposure of sensitive information, system configurations, and credentials stored in the container (VisionSpace).

The recommended mitigations include properly sanitizing all user input including URL parameters, limiting user file read/write operations to only required folders within the host, and restricting the Docker container from running as root by default (VisionSpace).