Gazebo patches a file-read flaw

The Gazebo robotics simulator has shipped fixes for a WebsocketServer flaw that could expose files from the host machine.

Gazebo published a security advisory on June 18 for its WebsocketServer plugin: an operation named asset could read arbitrary files from the machine running the simulator. Fixes are already available across supported lines, with backported versions for several generations of the stack: ign-launch 5.3.1 for Fortress, gz-launch 7.1.2 for Harmonic, 8.0.3 for Ionic, 9.0.1 for Jetty, and gz-sim 10.4.0 for Jetty.

The issue is technical, but it lands on a practical part of modern robotics. Gazebo is no longer only a local developer tool. It is used to test mobile robots, arms, fleets and autonomous scenarios, sometimes with a web interface or network access to inspect and control a simulation. In this case, the OnAsset handler accepted filesystem paths without enough validation. If the WebSocket server was reachable, especially on the default port 9002, a network client could access files on the host system when no authorization key was configured.

The scope is less dramatic than a flaw in a robot already deployed in the field, but it matters for teams that automate their test benches. A robotics simulation can contain proprietary models, maps of industrial sites, sensor settings, internal service credentials or experiment traces. The advisory says the fix now restricts resource reads to explicitly approved locations, such as Gazebo resource directories and the Fuel cache, instead of accepting absolute paths from the caller.

The episode also shows how robotics software inherits long package histories. Gazebo notes that older versions of the plugin lived in the launch repository, first under Ignition and later under Gazebo. That is why the patch set spans ign-launch, gz-launch and gz-sim. For administrators who cannot update immediately, Gazebo recommends setting an authorization_key in the plugin configuration or strictly firewalling access to the WebSocket port. This is a useful brief because it connects cybersecurity and robotics directly: securing simulators is becoming a routine part of robot engineering, not a side concern left until deployment.