CVE-2026-41551: Path Traversal in file_server get_file() - Siemens ROS#

Details

• Version: ROS# all versions before 2.2.2 (fixed in 2.2.2)
• CVE ID: CVE-2026-41551
• Siemens Advisory ID: SSA-357982
• CVSS v3.1: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
• CVSS v4.0: 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N)
• CWE: CWE-23 Relative Path Traversal
• Vendor Homepage: https://www.siemens.com
• Affected Product Code Base: ROS# (ros-sharp) file_server service — all versions before 2.2.2 (vulnerable), fixed in 2.2.2
• Affected Component: get_file() in ROS Packages/ROS1/file_server/src/file_server.cpp (lines 24-62) and ROS Packages/ROS2/file_server2/src/file_server.cpp (lines 50-78)
• CVE Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41551
• Exploit Author: VyPr AI
• Fix Status: Patched in ROS# 2.2.2; the file_server revision adds path validation so resolved paths stay within the package directory

Description

A relative path traversal vulnerability (CWE-23) exists in the ROS# file_server service. The get_file() function constructs a file path by concatenating the user-controlled package and filepath components of the service request without sanitization or normalization. By supplying ../ sequences in the request name, an attacker can traverse out of the package directory and read or write arbitrary files on the filesystem with the privileges of the service user.

The vulnerable code resolves the package directory and then appends the attacker-controlled remainder of the path directly:

// ROS2 (file_server2/src/file_server.cpp)
std::string address = request->name.substr(10);
std::string package = address.substr(0, address.find("/"));
std::string filepath = address.substr(package.length());
std::string directory = ament_index_cpp::get_package_share_directory(package);
directory += filepath;   // no normalization — "../" escapes the package directory

The ROS1 implementation (file_server/src/file_server.cpp) is affected in the same way, using ros::package::getPath(package) before the unchecked concatenation.

Attack Vectors

• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None

An attacker who can reach the file_server service (for example via a rosbridge_server WebSocket exposed to an untrusted network) sends a get_file request whose name contains directory-traversal sequences such as package://file_server2/../../../../../../etc/passwd. The service returns the contents of the targeted file. Because the package documents file_server use for URDF transfers, robot-model visualization, and Gazebo/Unity simulation scenes, deployments that expose these services to untrusted networks are remotely exploitable. The Siemens advisory characterizes the impact as read and write access to arbitrary files with the service user’s privileges.

References

• CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41551
• Siemens Security Advisory (SSA-357982): https://cert-portal.siemens.com/productcert/html/ssa-357982.html
• Fixed Release (2.2.2): https://github.com/siemens/ros-sharp/releases/tag/2.2.2
• Vendor Project: https://github.com/siemens/ros-sharp