CVE-2024-39780

Published: Apr 2, 2025

Modified: Jun 18, 2025

PUBLISHED

CVSS v3.1

7.8

HIGH

Description

A YAML deserialization vulnerability was found in the Robot Operating System (ROS) 'dynparam', a command-line tool for getting, setting, and deleting parameters of a dynamically configurable node, affecting ROS distributions Noetic and earlier. The issue is caused by the use of the yaml.load() function in the 'set' and 'get' verbs, and allows for the creation of arbitrary Python objects. Through this flaw, a local or remote user can craft and execute arbitrary Python code.

Vendor	Product	Versions
Open Source Robotics Foundation	Robot Operating System (ROS)	affected `Noetic Ninjemys` affected `Melodic Morenia` affected `Kinetic Kame` affected `Indigo Igloo`

Weaknesses (CWE)

CWE-502

CWE-20

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/ros/dynamic_reconfigure/pull/202

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-39780

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References