CVE-2025-28384: 
Ruby vulnerability analysis and mitigation

A directory traversal vulnerability was discovered in OpenC3 COSMOS version 6.0.0, specifically affecting the /script-api/scripts/ endpoint. The vulnerability was disclosed on June 13, 2025, and allows attackers to execute directory traversal attacks to access arbitrary files within the system (MITRE, NVD).

The vulnerability exists in the Script Runner tool's API endpoint /script-api/scripts/ which allows for the creation and modification of user-defined scripts. The file path in the API endpoint is not properly sanitized, enabling authenticated users to traverse directories using path traversal sequences (../../) to access arbitrary files within the Docker container. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 CRITICAL with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (VisionSpace, Wiz).

Due to the Docker container running as root by default, the vulnerability allows authenticated users to read any arbitrary file within the container's filesystem. This could lead to exposure of sensitive information, system configurations, and credentials stored in the container (VisionSpace).

The recommended mitigations include properly sanitizing all user input including URL parameters, limiting user file read/write operations to only required folders within the host, and restricting the Docker container from running as root by default. Additionally, it is advised that all user input be sanitized correctly, including parameters directly obtained from the URL (VisionSpace).