Platform
python
Component
ros/ros_comm
A code execution vulnerability has been identified in the Robot Operating System (ROS) 'rosparam' tool. This flaw, affecting ROS distributions Noetic Ninjemys and earlier, arises from the insecure use of the eval() function when processing user-supplied parameter values. Attackers can exploit this to execute arbitrary Python code, potentially compromising the entire ROS environment.
The vulnerability allows an attacker to inject and execute arbitrary Python code within the ROS environment. This could lead to complete system compromise, including data theft, modification, or destruction. An attacker could potentially gain control of robots and other connected devices, disrupting operations or causing physical harm. The impact is particularly severe in environments where ROS is used for critical automation or control systems, as malicious code could directly influence real-world actions.
This vulnerability was publicly disclosed on 2025-07-17. The presence of eval() with unsanitized user input mirrors patterns seen in other code execution vulnerabilities, suggesting potential for automated exploitation. Currently, no public proof-of-concept (PoC) code is available, but the ease of exploitation once a PoC is released warrants a high level of concern. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to a ROS distribution that addresses this vulnerability. Unfortunately, a specific fixed version is not yet available. As a workaround, implement strict input validation on all parameter values processed by rosparam, particularly those related to angle representations. Disable or restrict the use of custom converters if possible. Consider using a Web Application Firewall (WAF) to filter potentially malicious input. Monitor ROS logs for suspicious activity, specifically Python code execution attempts.
Update ROS to a version later than Noetic Ninjemys. If updating is not possible, avoid using the 'rosparam' tool with untrusted data. Consider applying security patches if they are available for your ROS distribution.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-39289 is a code execution vulnerability in ROS 'rosparam' affecting Noetic Ninjemys and earlier versions. It allows attackers to execute arbitrary Python code through unsanitized user input.
If you are using ROS Noetic Ninjemys or an earlier version, you are potentially affected. Assess your environment and implement mitigations until a patched version is available.
Upgrade to a patched ROS distribution when available. Until then, implement strict input validation and consider using a WAF to filter malicious input.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a potential for future attacks. Monitor your systems closely.
Refer to the ROS security mailing list and the ROS wiki for updates and official advisories regarding CVE-2024-39289.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.