CVE-2025-39780: 
Linux Debian vulnerability analysis and mitigation

A YAML deserialization vulnerability was discovered in the Robot Operating System (ROS) 'dynparam' command-line tool, affecting ROS distributions Noetic and earlier. The vulnerability was assigned identifier CVE-2024-39780 and was disclosed on April 2, 2025. The issue affects the tool used for getting, setting, and deleting parameters of dynamically configurable nodes (NVD).

The vulnerability stems from the use of the yaml.load() function in the 'set' and 'get' verbs of the dynparam tool, which allows for the creation of arbitrary Python objects. The vulnerability has received a CVSS v3.1 Base Score of 9.8 (CRITICAL) from NIST with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, while Canonical Ltd. assessed it with a score of 7.8 (HIGH) with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

Through this vulnerability, a local or remote user can craft and execute arbitrary Python code on affected systems. The vulnerability has been classified with CWE-20 (Improper Input Validation) and CWE-502 (Deserialization of Untrusted Data), indicating its potential for significant system compromise (NVD).

A fix has been implemented for ROS Noetic through a patch that addresses the YAML deserialization vulnerability. The fix is available via commit 3d93ac13603438323d7e9fa74e879e45c5fe2e8e (NVD).