Plateforme
python
Composant
rosbag
A critical code execution vulnerability (CVE-2025-3753) has been discovered in the Robot Operating System (ROS) 'rosbag' tool. This flaw stems from the insecure use of the eval() function when processing user-supplied input within the rosbag filter command. Successful exploitation could allow an attacker to execute arbitrary Python code on systems running ROS Noetic Ninjemys and earlier versions. A patch is expected to be released by the ROS community.
The vulnerability's impact is severe due to the ability to execute arbitrary Python code. An attacker could leverage this to gain complete control over a ROS-enabled system, potentially leading to data theft, system compromise, or denial of service. The rosbag filter command is frequently used for analyzing and processing ROS bag files, making it a common target. This vulnerability is particularly concerning in environments where ROS is used for critical automation or robotics applications, as it could be exploited to disrupt operations or compromise sensitive data. The use of eval() on untrusted input mirrors vulnerabilities seen in other scripting languages, highlighting the inherent risks of dynamic code execution.
CVE-2025-3753 is currently not listed on the CISA KEV catalog. The EPSS score is pending evaluation. Public proof-of-concept (PoC) code is expected to be released shortly following the public disclosure of the vulnerability. The vulnerability was publicly disclosed on 2025-07-17.
Robotics researchers and developers using ROS Noetic Ninjemys or earlier versions are at significant risk. Organizations deploying ROS in industrial automation or critical infrastructure environments are particularly vulnerable, as a successful exploit could have severe operational consequences. Users who have shared ROS bag files from untrusted sources are also at increased risk.
• python / rosbag:
import subprocess
# Check for suspicious arguments passed to rosbag filter
process = subprocess.Popen(['rosbag', 'filter', '-u', 'your_bag_file'], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
output, error = process.communicate()
if 'eval' in output or 'eval' in error:
print('Potential CVE-2025-3753 exploitation attempt detected!')• linux / server:
journalctl -u ros | grep -i "eval"• generic web:
Inspect ROS bag files for embedded Python code or commands that could be executed via rosbag filter.
disclosure
Statut de l'Exploit
EPSS
0.02% (percentile 6%)
CISA SSVC
Vecteur CVSS
The primary mitigation is to upgrade to a patched version of ROS once available. Until a patch is released, implement strict input validation on the rosbag filter command to prevent the execution of malicious code. Specifically, sanitize any user-supplied input before passing it to the eval() function. Consider restricting access to the rosbag filter command to trusted users only. Additionally, review ROS bag files from untrusted sources with extreme caution. After applying mitigations, verify the integrity of your ROS installation and ensure that the rosbag filter command no longer accepts unsanitized input.
Actualice ROS a una versión posterior a Noetic Ninjemys, Melodic Morenia, Kinetic Kame o Indigo Igloo, donde se haya corregido la vulnerabilidad. Si no es posible actualizar, evite usar la función 'rosbag filter' con entradas no confiables. Considere implementar validación y sanitización de entradas antes de usar 'eval()'.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-3753 is a code execution vulnerability in ROS Noetic Ninjemys and earlier versions. It allows attackers to execute arbitrary Python code through the 'rosbag filter' command due to the insecure use of the eval() function.
If you are using ROS Noetic Ninjemys or an earlier version, you are potentially affected. Assess your environment and implement mitigations until a patch is available.
Upgrade to a patched version of ROS as soon as it is released. Until then, implement strict input validation on the 'rosbag filter' command to prevent malicious code execution.
While no active exploitation has been confirmed, public proof-of-concept code is expected to be released soon, increasing the risk of exploitation.
Refer to the official ROS security announcements page for updates and advisories regarding CVE-2025-3753: https://wiki.ros.org/Security/Advisories
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.