Robot Operating System
Moderate fix1 remedy
cpe:2.3:a:openrobotics:robot_operating_system:*:*:*:*:*:*:*, +1 more
Moderate fix1 remedy
- <= noetic_ninjemys
Robot Operating System Code Injection Vulnerability in rostopic Tool
Vulnerability
Patched
A code injection vulnerability exists in the Robot Operating System (ROS) 'rostopic' command-line tool, impacting ROS distributions Noetic Ninjemys and earlier. The issue arises in the 'echo' verb, where user-provided Python expressions can be submitted via the --filter option. This input is directly evaluated using the eval() function without any sanitization, enabling local users to execute arbitrary code.
Impact
Exploitation of this vulnerability allows for arbitrary code execution on the affected system.
Remediation
Users are encouraged to migrate to ROS 2, as ROS 1 Noetic will reach end-of-life on May 31, 2025. Migration guides for ROS 2 Humble Hawksbill and ROS 2 Jazzy Jalisco are available in the official ROS documentation. For complex ROS 1 systems, the ROS 1 to ROS 2 Bridge can be used to migrate one package at a time.
Added: Jul 17, 2025, 8:57 PM
Updated: Jul 17, 2025, 10:07 PM
Vulnerability Rating
Custom Algorithm
spread
4.5impact
10.0exploitability
3.5remediation
7.7relevance
0.3threat
0.0urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.