Volerion logoVolerion
Volerion logoVolerion

Robot Operating System Code Injection Vulnerability in roslaunch Command-Line Tool

Vulnerability

A code injection vulnerability exists in the Robot Operating System (ROS) 'roslaunch' command-line tool, impacting ROS distributions Noetic Ninjemys and earlier. The issue stems from the eval() method being used to process user-supplied, unsanitized parameter values within the substitution args mechanism. This evaluation occurs before launching a node, allowing attackers to craft and execute arbitrary Python code.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected system.

Remediation

Users are encouraged to migrate to ROS 2, as ROS 1 Noetic will reach end-of-life on May 31, 2025, after which no security updates or support will be available. Migration guides for ROS 2 Humble Hawksbill and ROS 2 Jazzy Jalisco are available in the ROS 2 documentation.

Added: Jul 17, 2025, 9:01 PM
Updated: Jul 17, 2025, 10:11 PM

Vulnerability Rating

Custom Algorithm
spread
4.5
impact
10.0
exploitability
7.0
remediation
7.7
relevance
0.3
threat
0.0
urgency
2.9
incentive
5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.