CVE-2025-3753

A code execution vulnerability has been identified in the Robot Operating System (ROS) 'rosbag' tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability arises from the use of the eval() function to process unsanitized, user-supplied input in the 'rosbag filter' command. This flaw enables attackers to craft and execute arbitrary Python code.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.ros.org/blog/noetic-eol/	Product

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:openrobotics:robot_operating_system:indigo_igloo:::::::*
	cpe:2.3:o:openrobotics:robot_operating_system:kinetic_kame:::::::*
	cpe:2.3:o:openrobotics:robot_operating_system:melodic_morenia:::::::*
	cpe:2.3:o:openrobotics:robot_operating_system:noetic_ninjemys:::::::*

History

26 Aug 2025, 17:51

Type	Values Removed	Values Added
References	~~() https://www.ros.org/blog/noetic-eol/ -~~	() https://www.ros.org/blog/noetic-eol/ - Product
First Time		Openrobotics Openrobotics robot Operating System
Summary		(es) Se ha identificado una vulnerabilidad de ejecución de código en la herramienta "rosbag" del Robot Operating System (ROS), que afecta a las distribuciones de ROS Noetic Ninjemys y anteriores. La vulnerabilidad surge del uso de la función eval() para procesar la entrada no depurada proporcionada por el usuario en el comando "rosbag filter". Esta falla permite a los atacantes manipular y ejecutar código Python arbitrario.
CPE		cpe:2.3:o:openrobotics:robot_operating_system:melodic_morenia:::::::* cpe:2.3:o:openrobotics:robot_operating_system:noetic_ninjemys:::::::* cpe:2.3:o:openrobotics:robot_operating_system:indigo_igloo:::::::* cpe:2.3:o:openrobotics:robot_operating_system:kinetic_kame:::::::*

17 Jul 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-17 20:15

Updated : 2025-08-26 17:51

NVD link : CVE-2025-3753

Mitre link : CVE-2025-3753

CVE.ORG link : CVE-2025-3753

JSON object : View

Products Affected

openrobotics

robot_operating_system

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

7.8 /10