CVE-2024-39780

Published: Apr 2, 2025Modified: Aug 26, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

A YAML deserialization vulnerability was found in the Robot Operating System (ROS) 'dynparam', a command-line tool for getting, setting, and deleting parameters of a dynamically configurable node, affecting ROS distributions Noetic and earlier. The issue is caused by the use of the yaml.load() function in the 'set' and 'get' verbs, and allows for the creation of arbitrary Python objects. Through this flaw, a local or remote user can craft and execute arbitrary Python code.

Affected (4)

Products: Openrobotics: Robot Operating System

Openrobotics

1 product

Robot Operating System

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Openrobotics Robot Operating System	Version indigo_igloo
Openrobotics Robot Operating System	Version kinetic_kame
Openrobotics Robot Operating System	Version melodic_morenia
Openrobotics Robot Operating System	Version noetic_ninjemys

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-502

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (1)

https://github.com/ros/dynamic_reconfigure/pull/202

Source: security@ubuntu.com

Patch

Timeline

No history available yet.