CVE-2024-39780

HIGH

Openrobotics Robot Operating System - Insecure Deserialization

Title source: rule

Description

A YAML deserialization vulnerability was found in the Robot Operating System (ROS) 'dynparam', a command-line tool for getting, setting, and deleting parameters of a dynamically configurable node, affecting ROS distributions Noetic and earlier. The issue is caused by the use of the yaml.load() function in the 'set' and 'get' verbs, and allows for the creation of arbitrary Python objects. Through this flaw, a local or remote user can craft and execute arbitrary Python code.

References (1)

[Patch] https://github.com/ros/dynamic_reconfigure/pull/202

Scores

CVSS v3 7.8

EPSS 0.0073

EPSS Percentile 72.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502 CWE-20

Status published

Affected Products (4)

openrobotics/robot_operating_system

Timeline

Published Apr 02, 2025

Tracked Since Feb 18, 2026