CVE-2024-39289
Publication date 17 July 2025
Last updated 23 July 2025
Ubuntu priority
Description
A code execution vulnerability has been discovered in the Robot Operating System (ROS) 'rosparam' tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability stems from the use of the eval() function to process unsanitized, user-supplied parameter values via special converters for angle representations in radians. This flaw allowed attackers to craft and execute arbitrary Python code.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| ros-ros-comm | 25.04 plucky | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| ros-kinetic-ros-comm | 16.04 LTS xenial |
Fixed 1.12.17+8
|
| ros-melodic-ros-comm | 18.04 LTS bionic |
Fixed 1.14.13+4
|
| ros-noetic-ros-comm | 20.04 LTS focal |
Fixed 1.17.4+2
|
Notes
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.8 · High
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |