Houston, We Have an `eval()`: Pre-Auth RCE in OpenC3 COSMOS
Jan 14, 2026·6 min read·1 visit
Executive Summary (TL;DR)
OpenC3 COSMOS, software used for satellite command and control, was caught using Ruby's `eval()` to parse strings that looked like arrays. Because this parsing happens before authentication checks in the JSON-RPC API, any unauthenticated attacker can send a crafted packet to execute code as the server user. It's literally a case of 'If it looks like an array, execute it.'
A Critical (10.0) pre-authentication Remote Code Execution vulnerability in OpenC3 COSMOS allows attackers to execute arbitrary commands on mission control servers via the JSON-RPC interface. The flaw stems from the insecure use of `eval()` when parsing array-like strings.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
OpenC3 COSMOS OpenC3 | >= 5.0.0, <= 6.10.1 | 6.10.2 |
| Attribute | Detail |
|---|---|
| CWE | CWE-95 (Eval Injection) |
| CVSS v3.1 | 10.0 (Critical) |
| Attack Vector | Network (Pre-Auth) |
| Affected Component | String#convert_to_value |
| Language | Ruby / Python |
| Exploit Reliability | High (Deterministic) |
MITRE ATT&CK Mapping
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. 'eval').
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.