Platform
python
Component
rosbag
A critical code execution vulnerability (CVE-2025-3753) has been discovered in the Robot Operating System (ROS) 'rosbag' tool. This flaw stems from the insecure use of the eval() function when processing user-supplied input within the rosbag filter command. Successful exploitation could allow an attacker to execute arbitrary Python code on systems running ROS Noetic Ninjemys and earlier versions. A patch is expected to be released by the ROS community.
The vulnerability's impact is severe due to the ability to execute arbitrary Python code. An attacker could leverage this to gain complete control over a ROS-enabled system, potentially leading to data theft, system compromise, or denial of service. The rosbag filter command is frequently used for analyzing and processing ROS bag files, making it a common target. This vulnerability is particularly concerning in environments where ROS is used for critical automation or robotics applications, as it could be exploited to disrupt operations or compromise sensitive data. The use of eval() on untrusted input mirrors vulnerabilities seen in other scripting languages, highlighting the inherent risks of dynamic code execution.
CVE-2025-3753 is currently not listed on the CISA KEV catalog. The EPSS score is pending evaluation. Public proof-of-concept (PoC) code is expected to be released shortly following the public disclosure of the vulnerability. The vulnerability was publicly disclosed on 2025-07-17.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to a patched version of ROS once available. Until a patch is released, implement strict input validation on the rosbag filter command to prevent the execution of malicious code. Specifically, sanitize any user-supplied input before passing it to the eval() function. Consider restricting access to the rosbag filter command to trusted users only. Additionally, review ROS bag files from untrusted sources with extreme caution. After applying mitigations, verify the integrity of your ROS installation and ensure that the rosbag filter command no longer accepts unsanitized input.
Update ROS to a version later than Noetic Ninjemys, Melodic Morenia, Kinetic Kame, or Indigo Igloo, where the vulnerability has been patched. If updating is not possible, avoid using the 'rosbag filter' function with untrusted input. Consider implementing input validation and sanitization before using 'eval()'.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-3753 is a code execution vulnerability in ROS Noetic Ninjemys and earlier versions. It allows attackers to execute arbitrary Python code through the 'rosbag filter' command due to the insecure use of the eval() function.
If you are using ROS Noetic Ninjemys or an earlier version, you are potentially affected. Assess your environment and implement mitigations until a patch is available.
Upgrade to a patched version of ROS as soon as it is released. Until then, implement strict input validation on the 'rosbag filter' command to prevent malicious code execution.
While no active exploitation has been confirmed, public proof-of-concept code is expected to be released soon, increasing the risk of exploitation.
Refer to the official ROS security announcements page for updates and advisories regarding CVE-2025-3753: https://wiki.ros.org/Security/Advisories
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.