Robot Operating System 'rosbag' Tool Code Execution Vulnerability

A code execution vulnerability exists in the Robot Operating System (ROS) 'rosbag' tool, impacting ROS distributions Noetic Ninjemys and earlier. The issue stems from the 'rosbag filter' command, which uses the eval() function to process unsanitized user input. This vulnerability allows attackers to craft and execute arbitrary Python code.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected system.

Remediation

Users are encouraged to migrate to ROS 2, as ROS 1 Noetic will reach end-of-life on May 31, 2025. After this date, Noetic users may be exposed to unpatched security vulnerabilities. Migration options include transitioning to ROS 2 Humble Hawksbill or ROS 2 Jazzy Jalisco, depending on the complexity of the ROS 1 project. For projects that are tightly coupled or complex, the ROS 1 to ROS 2 Bridge can be used to migrate one package at a time.