Platform
python
Component
ros/ros_comm
A code execution vulnerability has been identified in the Robot Operating System (ROS) 'rosparam' tool. This flaw, affecting ROS distributions Noetic Ninjemys and earlier, arises from the insecure use of the eval() function when processing user-supplied parameter values. Attackers can exploit this to execute arbitrary Python code, potentially compromising the entire ROS environment.
The vulnerability allows an attacker to inject and execute arbitrary Python code within the ROS environment. This could lead to complete system compromise, including data theft, modification, or destruction. An attacker could potentially gain control of robots and other connected devices, disrupting operations or causing physical harm. The impact is particularly severe in environments where ROS is used for critical automation or control systems, as malicious code could directly influence real-world actions.
This vulnerability was publicly disclosed on 2025-07-17. The presence of eval() with unsanitized user input mirrors patterns seen in other code execution vulnerabilities, suggesting potential for automated exploitation. Currently, no public proof-of-concept (PoC) code is available, but the ease of exploitation once a PoC is released warrants a high level of concern. It is not currently listed on the CISA KEV catalog.
Robotics researchers and developers using ROS Noetic Ninjemys or earlier are at significant risk. This includes organizations deploying ROS-based automation systems, particularly those in industrial, research, or educational settings. Shared ROS environments or those with limited security controls are especially vulnerable.
• python / ros:
import subprocess
result = subprocess.run(['rosparam', 'get', '/my_parameter'], capture_output=True, text=True)
print(result.stdout)Monitor the output for unexpected or malicious Python code being retrieved.
• python / ros: Check for unusual Python scripts being executed within the ROS environment using ps aux | grep python and examining the command-line arguments.
• python / ros: Review ROS configuration files for any custom converters that might be vulnerable to code injection.
• generic web: Monitor ROS API endpoints for unexpected requests or responses that might indicate exploitation.
disclosure
Exploit Status
EPSS
0.03% (8% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation is to upgrade to a ROS distribution that addresses this vulnerability. Unfortunately, a specific fixed version is not yet available. As a workaround, implement strict input validation on all parameter values processed by rosparam, particularly those related to angle representations. Disable or restrict the use of custom converters if possible. Consider using a Web Application Firewall (WAF) to filter potentially malicious input. Monitor ROS logs for suspicious activity, specifically Python code execution attempts.
Actualice ROS a una versión posterior a Noetic Ninjemys. Si no es posible actualizar, evite usar la herramienta 'rosparam' con datos no confiables. Considere aplicar parches de seguridad si están disponibles para su distribución de ROS.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-39289 is a code execution vulnerability in ROS 'rosparam' affecting Noetic Ninjemys and earlier versions. It allows attackers to execute arbitrary Python code through unsanitized user input.
If you are using ROS Noetic Ninjemys or an earlier version, you are potentially affected. Assess your environment and implement mitigations until a patched version is available.
Upgrade to a patched ROS distribution when available. Until then, implement strict input validation and consider using a WAF to filter malicious input.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a potential for future attacks. Monitor your systems closely.
Refer to the ROS security mailing list and the ROS wiki for updates and official advisories regarding CVE-2024-39289.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.