GHSA-4jvx-93h3-f45h

Source

https://github.com/advisories/GHSA-4jvx-93h3-f45h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-4jvx-93h3-f45h/GHSA-4jvx-93h3-f45h.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4jvx-93h3-f45h

Aliases

CVE-2026-42085

Published

2026-04-22T22:22:02Z

Modified

2026-05-05T16:01:19.406872Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

OpenC3 COSMOS allows arbitrary writes to plugins directory via path-traversed config filenames

Details

Summary

OpenC3 COSMOS contains a design flaw in the save_tool_config() function that allows saving tool configuration files at arbitrary locations inside the shared /plugins directory tree by supplying crafted configuration filenames. Although the implementation sufficiently mitigates standard path traversal attacks, by canonicalizing filename to an absolute path, all plugins share this same root directory. That enables users to create arbitrary file structures and overwrite existing configuration files within the shared /plugins directory.

Details

In function save_tool_config() (local_mode.rb) responsible for saving user-supplied tool configuration, the desired saving directory is not sufficiently enforced, instead allowing writes inside entire OPENC3_LOCAL_MODE_PATH.

PoC

Navigate to any tool that enables “Save Configuration” option in left-hand drop-down menu (here Limits Monitor as an example)
Save a new config with path traversal name using “../” sequences to escape desired directory (up to 3 levels high)
Observe new files created in /plugins directory by inspecting docker container directly (openc3-COSMOS-cmd-tlm-api) or using Bucket Explorer (plugin_default)

Impact

Modifying the data of other plugins

Database specific

{
    "nvd_published_at": "2026-05-04T18:16:30Z",
    "severity": "MODERATE",
    "github_reviewed_at": "2026-04-22T22:22:02Z",
    "cwe_ids": [
        "CWE-23"
    ],
    "github_reviewed": true
}

References

Affected packages

RubyGems / openc3

Package

Name: openc3
Purl: pkg:gem/openc3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.10.5

Affected versions

5.*

5.0.6

5.0.7

5.0.8

5.0.9

5.0.10

5.0.11

5.1.0

5.1.1

5.2.0

5.3.0

5.4.0

5.4.1

5.4.2

5.4.3.pre.beta0

5.5.0.pre.beta0

5.5.0

5.5.1

5.5.2.pre.beta0

5.5.2

5.6.0

5.6.1

5.7.0

5.7.2

5.8.0

5.8.1

5.9.0

5.9.1

5.10.0

5.10.1

5.11.0

5.11.1

5.11.2

5.11.3

5.12.0

5.13.0

5.14.0

5.14.1

5.14.2

5.15.0

5.15.1

5.15.2

5.16.0

5.16.1

5.16.2

5.17.0

5.17.1

5.18.0

5.19.0

5.20.0

6.*

6.0.0

6.0.1

6.0.2

6.1.0

6.2.0

6.2.1

6.3.0

6.4.0

6.4.1

6.4.2

6.5.0

6.5.1

6.6.0

6.7.0

6.8.0

6.8.1

6.9.0

6.9.1

6.9.2

6.10.0

6.10.1

6.10.2

6.10.3

6.10.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-4jvx-93h3-f45h/GHSA-4jvx-93h3-f45h.json"