CVE-2024-39835
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-39835
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-39835.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-39835
- Downstream
- Published
- 2025-07-17T20:15:27Z
- Modified
- 2025-08-26T19:16:59.248712Z
- Summary
- [none]
- Details
-
A code injection vulnerability has been identified in the Robot Operating System (ROS) 'roslaunch' command-line tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability arises from the use of the eval() method to process user-supplied, unsanitized parameter values within the substitution args mechanism, which roslaunch evaluates before launching a node. This flaw allows attackers to craft and execute arbitrary Python code.
- References
Affected packages
Debian:11 / ros-ros-comm
Package
- Name
- ros-ros-comm
- Purl
- pkg:deb/debian/ros-ros-comm?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
1.*
1.15.9+ds1-7
1.15.9+ds1-7+deb11u1
1.15.9+ds1-8
1.15.9+ds1-9
1.15.9+ds1-10
1.15.9+ds1-11
1.15.13+ds1-1
1.15.13+ds1-2
1.15.13+ds1-3
1.15.13+ds1-4
1.15.13+ds1-5
1.15.13+ds1-6
1.15.14+ds-1
1.15.14+ds-2
1.15.14+ds-3
1.15.14+ds-4
1.15.14+ds-5
1.15.15+ds-1
1.15.15+ds-2
1.16.0+ds-1
1.16.0+ds-2
1.16.0+ds-3
1.16.0+ds-3.1~exp1
1.16.0+ds-3.1
1.16.0+ds-4
1.16.0+ds-5
1.16.0+ds-6
1.17.0+ds-1
1.17.0+ds-2
Debian:12 / ros-ros-comm
Package
- Name
- ros-ros-comm
- Purl
- pkg:deb/debian/ros-ros-comm?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Debian:13 / ros-ros-comm
Package
- Name
- ros-ros-comm
- Purl
- pkg:deb/debian/ros-ros-comm?arch=source
Debian:14 / ros-ros-comm
Package
- Name
- ros-ros-comm
- Purl
- pkg:deb/debian/ros-ros-comm?arch=source