HIGH 7.5
PYSEC-2025-255
Details
A credential leak in OpenC3 COSMOS before v6.0.2 allows attackers to access service credentials as environment variables stored in all containers.
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / openc3
Introduced in:
0 No fixed version published yet for openc3 (pip). Pin to a known-safe version or switch to an alternative.
References
- https://github.com/OpenC3/cosmos/pull/1816/commits/cce64c213fd2e6a70e2ccbf3622949fe8f9dcaef [WEB]
- https://github.com/OpenC3/cosmos/releases/tag/v6.0.2 [WEB]
- https://openc3.com/ [WEB]
- https://github.com/OpenC3/cosmos/pull/1816 [FIX]
- https://visionspace.com/openc3-cosmos-a-security-assessment-of-an-open-source-mission-framework/ [EVIDENCE]