Unrated severityNVD Advisory· Published Jul 17, 2025· Updated Jul 18, 2025

Unsafe use of eval() method in rostopic echo tool

CVE-2024-41921

Description

A code injection vulnerability has been discovered in the Robot Operating System (ROS) 'rostopic' command-line tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability lies in the 'echo' verb, which allows a user to introspect a ROS topic and accepts a user-provided Python expression via the --filter option. This input is passed directly to the eval() function without sanitization, allowing a local user to craft and execute arbitrary code.

Affected products

ROS/rostopicllm-fuzzy
Range: <= Noetic Ninjemys
Open Source Robotics Foundation/Robot Operating System (ROS)v5
Range: Noetic Ninjemys

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.ros.org/blog/noetic-eol/mitreproduct

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000