A code injection vulnerability has been identified in the Robot Operating System (ROS) 'roslaunch' command-line tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability arises from the use of the eval() method to process user-supplied, unsanitized parameter values within the substitution args mechanism, which roslaunch evaluates before launching a node. This flaw allows attackers to craft and execute arbitrary Python code.
References
History

Tue, 26 Aug 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Openrobotics
Openrobotics robot Operating System
CPEs cpe:2.3:o:openrobotics:robot_operating_system:indigo_igloo:*:*:*:*:*:*:*
cpe:2.3:o:openrobotics:robot_operating_system:kinetic_kame:*:*:*:*:*:*:*
cpe:2.3:o:openrobotics:robot_operating_system:melodic_morenia:*:*:*:*:*:*:*
cpe:2.3:o:openrobotics:robot_operating_system:noetic_ninjemys:*:*:*:*:*:*:*
Vendors & Products Openrobotics
Openrobotics robot Operating System

Thu, 17 Jul 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 17 Jul 2025 19:30:00 +0000

Type Values Removed Values Added
Description A code injection vulnerability has been identified in the Robot Operating System (ROS) 'roslaunch' command-line tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability arises from the use of the eval() method to process user-supplied, unsanitized parameter values within the substitution args mechanism, which roslaunch evaluates before launching a node. This flaw allows attackers to craft and execute arbitrary Python code.
Title Unsafe use of eval() method in roslaunch tool
Weaknesses CWE-94
CWE-95
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2025-07-18T08:04:28.875Z

Reserved: 2024-08-08T14:41:22.665Z

Link: CVE-2024-39835

cve-icon Vulnrichment

Updated: 2025-07-17T20:36:26.287Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-17T20:15:27.400

Modified: 2025-08-26T17:51:58.870

Link: CVE-2024-39835

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.