A code injection vulnerability has been discovered in the Robot Operating System (ROS) 'rostopic' command-line tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability lies in the 'echo' verb, which allows a user to introspect a ROS topic and accepts a user-provided Python expression via the --filter option. This input is passed directly to the eval() function without sanitization, allowing a local user to craft and execute arbitrary code.
Metrics
Affected Vendors & Products
References
Link | Providers |
---|---|
https://www.ros.org/blog/noetic-eol/ |
![]() ![]() |
History
Tue, 26 Aug 2025 18:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Openrobotics
Openrobotics robot Operating System |
|
CPEs | cpe:2.3:o:openrobotics:robot_operating_system:indigo_igloo:*:*:*:*:*:*:* cpe:2.3:o:openrobotics:robot_operating_system:kinetic_kame:*:*:*:*:*:*:* cpe:2.3:o:openrobotics:robot_operating_system:melodic_morenia:*:*:*:*:*:*:* cpe:2.3:o:openrobotics:robot_operating_system:noetic_ninjemys:*:*:*:*:*:*:* |
|
Vendors & Products |
Openrobotics
Openrobotics robot Operating System |
Thu, 17 Jul 2025 21:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Thu, 17 Jul 2025 19:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | A code injection vulnerability has been discovered in the Robot Operating System (ROS) 'rostopic' command-line tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability lies in the 'echo' verb, which allows a user to introspect a ROS topic and accepts a user-provided Python expression via the --filter option. This input is passed directly to the eval() function without sanitization, allowing a local user to craft and execute arbitrary code. | |
Title | Unsafe use of eval() method in rostopic echo tool | |
Weaknesses | CWE-94 CWE-95 |
|
References |
| |
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: canonical
Published:
Updated: 2025-07-18T08:05:08.288Z
Reserved: 2024-08-08T14:41:22.680Z
Link: CVE-2024-41921

Updated: 2025-07-17T20:37:14.159Z

Status : Analyzed
Published: 2025-07-17T20:15:27.750
Modified: 2025-08-26T17:51:29.637
Link: CVE-2024-41921

No data.

No data.