CVE-2024-41921

A code injection vulnerability has been discovered in the Robot Operating System (ROS) 'rostopic' command-line tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability lies in the 'echo' verb, which allows a user to introspect a ROS topic and accepts a user-provided Python expression via the --filter option. This input is passed directly to the eval() function without sanitization, allowing a local user to craft and execute arbitrary code.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.ros.org/blog/noetic-eol/	Product

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:openrobotics:robot_operating_system:indigo_igloo:::::::*
	cpe:2.3:o:openrobotics:robot_operating_system:kinetic_kame:::::::*
	cpe:2.3:o:openrobotics:robot_operating_system:melodic_morenia:::::::*
	cpe:2.3:o:openrobotics:robot_operating_system:noetic_ninjemys:::::::*

History

26 Aug 2025, 17:51

Type	Values Removed	Values Added
References	~~() https://www.ros.org/blog/noetic-eol/ -~~	() https://www.ros.org/blog/noetic-eol/ - Product
CPE		cpe:2.3:o:openrobotics:robot_operating_system:indigo_igloo:::::::* cpe:2.3:o:openrobotics:robot_operating_system:melodic_morenia:::::::* cpe:2.3:o:openrobotics:robot_operating_system:noetic_ninjemys:::::::* cpe:2.3:o:openrobotics:robot_operating_system:kinetic_kame:::::::*
First Time		Openrobotics Openrobotics robot Operating System
Summary		(es) Se ha descubierto una vulnerabilidad de inyección de código en la herramienta de línea de comandos "rostopic" del Robot Operating System (ROS), que afecta a las distribuciones de ROS Noetic Ninjemys y anteriores. La vulnerabilidad reside en el verbo "echo", que permite al usuario introspectar un tema de ROS y aceptar una expresión de Python proporcionada por el usuario mediante la opción --filter. Esta entrada se pasa directamente a la función eval() sin depurar, lo que permite a un usuario local manipular y ejecutar código arbitrario.

17 Jul 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-17 20:15

Updated : 2025-08-26 17:51

NVD link : CVE-2024-41921

Mitre link : CVE-2024-41921

CVE.ORG link : CVE-2024-41921

JSON object : View

Products Affected

openrobotics

robot_operating_system

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

7.8 /10