YAML Deserialization Flaw in Robot Operating System's Dynamic Parameter Tool
CVE-2024-39780

7.8HIGH

Key Information:

Vendor: Open Source Robotics Foundation
Status: Robot Operating System (ros)
Vendor: CVE Published:; 2 April 2025

🔔 Create Open Source Robotics Foundation Vulnerability Alert

What is CVE-2024-39780?

A vulnerability has been identified in the Robot Operating System (ROS) related to its dynamic parameter tool, 'dynparam.' This issue is caused by improper handling of YAML data via the yaml.load() function in the 'set' and 'get' commands, which can be exploited to create and execute arbitrary Python objects. As a result, both local and remote users may be able to run unintended Python code by manipulating parameters. This vulnerability affects all ROS distributions up to Noetic, prompting significant security concerns within ROS environments. A fix for ROS Noetic has been implemented to mitigate this issue.

Affected Version(s)

Robot Operating System (ROS) Linux Noetic Ninjemys

Robot Operating System (ROS) Linux Melodic Morenia

Robot Operating System (ROS) Linux Kinetic Kame

References

https://github.com/ros/dynamic_reconfigure/pull/202

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 2, 2025
Vulnerability Reserved
Aug 8, 2024

Credit

Florencia Cabral Berenfus, Ubuntu Robotics Team