Volerion logoVolerion
Volerion logoVolerion

Robot Operating System Code Injection Vulnerability in rostopic Command-Line Tool

Vulnerability

A code injection vulnerability exists in the Robot Operating System (ROS) 'rostopic' command-line tool, impacting ROS distributions Noetic Ninjemys and earlier. The issue arises in the 'hz' verb, which reports the publishing rate of a topic. The vulnerability allows local users to execute arbitrary code by injecting a user-provided Python expression through the --filter option, as this input is directly passed to the eval() function without any sanitization.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the local system.

Remediation

Users are encouraged to migrate to ROS 2, as ROS 1 Noetic will reach end-of-life on May 31, 2025. Migration guides for ROS 2 Humble Hawksbill and ROS 2 Jazzy Jalisco are available. For complex ROS 1 systems, the ROS 1 to ROS 2 Bridge can be used to migrate one package at a time.

Added: Jul 17, 2025, 8:59 PM
Updated: Jul 17, 2025, 10:09 PM

Vulnerability Rating

Custom Algorithm
spread
4.5
impact
10.0
exploitability
3.5
remediation
7.7
relevance
0.2
threat
0.0
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.