CVE-2024-41148: 
Linux Debian vulnerability analysis and mitigation

A code injection vulnerability has been discovered in the Robot Operating System (ROS) 'rostopic' command-line tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability was assigned CVE-2024-41148 and was disclosed on July 17, 2025. The issue affects the 'hz' verb functionality within the rostopic tool (NVD).

The vulnerability lies in the 'hz' verb, which reports the publishing rate of a topic and accepts a user-provided Python expression via the --filter option. This input is passed directly to the eval() function without sanitization. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The weakness has been classified under CWE-94 (Improper Control of Generation of Code) and CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code) (NVD, Rapid7).

The vulnerability allows a local user to craft and execute arbitrary code through the rostopic command-line tool. This could lead to complete compromise of the affected system with high impacts on confidentiality, integrity, and availability (NVD).

Users are advised to upgrade their ROS installations. This vulnerability particularly affects systems running ROS Noetic Ninjemys and earlier versions. The issue will be addressed as part of the planned end-of-life transition for ROS 1, scheduled for May 31st, 2025 (ROS Blog).