Vulnerabilites related to roocode - roo_code
Vulnerability from fkie_nvd
Published
2025-09-06 03:15
Modified
2025-09-15 18:07
Severity ?
Summary
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions 3.25.23 and below contain a default list of allowed commands that do not need manual approval if auto-approve is enabled, and npm install is included in that list. Because npm install executes lifecycle scripts, if a repository’s package.json file contains a malicious postinstall script, it would be executed automatically without user approval. This means that enabling auto-approved commands and opening a malicious repo could result in arbitrary code execution. This is fixed in version 3.26.0.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:roocode:roo_code:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FF1ECC76-9F04-425B-9FDA-045A8B21F5E1",
"versionEndExcluding": "3.26.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Roo Code is an AI-powered autonomous coding agent that lives in users\u0027 editors. Versions 3.25.23 and below contain a default list of allowed commands that do not need manual approval if auto-approve is enabled, and npm install is included in that list. Because npm install executes lifecycle scripts, if a repository\u2019s package.json file contains a malicious postinstall script, it would be executed automatically without user approval. This means that enabling auto-approved commands and opening a malicious repo could result in arbitrary code execution. This is fixed in version 3.26.0."
}
],
"id": "CVE-2025-58374",
"lastModified": "2025-09-15T18:07:55.513",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-09-06T03:15:40.097",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/RooCodeInc/Roo-Code/pull/7390/files"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/RooCodeInc/Roo-Code/releases/tag/v3.26.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-c292-qxq4-4p2v"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-06-27 22:15
Modified
2025-09-15 18:08
Severity ?
Summary
Roo Code is an AI-powered autonomous coding agent. The project-specific MCP configuration for the Roo Code agent is stored in the `.roo/mcp.json` file within the VS Code workspace. Because the MCP configuration format allows for execution of arbitrary commands, prior to version 3.20.3, it would have been possible for an attacker with access to craft a prompt to ask the agent to write a malicious command to the MCP configuration file. If the user had opted-in to auto-approving file writes within the project, this would have led to arbitrary command execution. This issue is of moderate severity, since it requires the attacker to already be able to submit prompts to the agent (for instance through a prompt injection attack), for the user to have MCP enabled (on by default), and for the user to have enabled auto-approved file writes (off by default). Version 3.20.3 fixes the issue by adding an additional layer of opt-in configuration for auto-approving writing to Roo's configuration files, including all files within the `.roo/` folder.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:roocode:roo_code:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3364E69F-61DE-4327-BF5E-14162623BBDC",
"versionEndExcluding": "3.20.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Roo Code is an AI-powered autonomous coding agent. The project-specific MCP configuration for the Roo Code agent is stored in the `.roo/mcp.json` file within the VS Code workspace. Because the MCP configuration format allows for execution of arbitrary commands, prior to version 3.20.3, it would have been possible for an attacker with access to craft a prompt to ask the agent to write a malicious command to the MCP configuration file. If the user had opted-in to auto-approving file writes within the project, this would have led to arbitrary command execution. This issue is of moderate severity, since it requires the attacker to already be able to submit prompts to the agent (for instance through a prompt injection attack), for the user to have MCP enabled (on by default), and for the user to have enabled auto-approved file writes (off by default). Version 3.20.3 fixes the issue by adding an additional layer of opt-in configuration for auto-approving writing to Roo\u0027s configuration files, including all files within the `.roo/` folder."
},
{
"lang": "es",
"value": "Roo Code es un agente de codificaci\u00f3n aut\u00f3nomo basado en IA. La configuraci\u00f3n de MCP espec\u00edfica del proyecto para el agente de Roo Code se almacena en el archivo `.roo/mcp.json` dentro del espacio de trabajo de VS Code. Dado que el formato de configuraci\u00f3n de MCP permite la ejecuci\u00f3n de comandos arbitrarios, antes de la versi\u00f3n 3.20.3, un atacante con acceso habr\u00eda podido manipular un mensaje para solicitar al agente que escribiera un comando malicioso en el archivo de configuraci\u00f3n de MCP. Si el usuario hubiera habilitado la aprobaci\u00f3n autom\u00e1tica de escrituras de archivos dentro del proyecto, esto habr\u00eda provocado la ejecuci\u00f3n de comandos arbitrarios. Este problema es de gravedad moderada, ya que requiere que el atacante ya pueda enviar mensajes al agente (por ejemplo, mediante un ataque de inyecci\u00f3n de mensajes), que el usuario tenga MCP habilitado (activado por defecto) y que tenga habilitada la aprobaci\u00f3n autom\u00e1tica de escrituras de archivos (desactivada por defecto). La versi\u00f3n 3.20.3 corrige el problema agregando una capa adicional de configuraci\u00f3n opt-in para aprobar autom\u00e1ticamente la escritura en los archivos de configuraci\u00f3n de Roo, incluidos todos los archivos dentro de la carpeta `.roo/`."
}
],
"id": "CVE-2025-53098",
"lastModified": "2025-09-15T18:08:32.237",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-06-27T22:15:25.993",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/RooCodeInc/Roo-Code/commit/7d0b22f9e659dc6c26aab0bacbea27874986e772"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-5x8h-m52g-5v54"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-09-05 23:15
Modified
2025-09-10 15:11
Severity ?
Summary
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions below 3.26.0 contain a vulnerability in the command parsing logic where the Bash parameter expansion and indirect reference were not handled correctly. If the agent was configured to auto-approve execution of certain commands, an attacker able to influence prompts could abuse this weakness to execute additional arbitrary commands alongside the intended one. This is fixed in version 3.26.0.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:roocode:roo_code:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FF1ECC76-9F04-425B-9FDA-045A8B21F5E1",
"versionEndExcluding": "3.26.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Roo Code is an AI-powered autonomous coding agent that lives in users\u0027 editors. Versions below 3.26.0 contain a vulnerability in the command parsing logic where the Bash parameter expansion and indirect reference were not handled correctly. If the agent was configured to auto-approve execution of certain commands, an attacker able to influence prompts could abuse this weakness to execute additional arbitrary commands alongside the intended one. This is fixed in version 3.26.0."
}
],
"id": "CVE-2025-58370",
"lastModified": "2025-09-10T15:11:46.347",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-09-05T23:15:30.260",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-2rm5-cvcm-7592"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-09-05 23:15
Modified
2025-09-15 18:08
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions 3.25.23 and below contain a vulnerability where certain VS Code workspace configuration files (.code-workspace) are not protected in the same way as the .vscode folder. If the agent was configured to auto-approve file writes, an attacker able to influence prompts (for example via prompt injection) could cause malicious workspace settings or tasks to be written. These tasks could then be executed automatically when the workspace is reopened, resulting in arbitrary code execution. This issue is fixed in version 3.26.0.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:roocode:roo_code:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FF1ECC76-9F04-425B-9FDA-045A8B21F5E1",
"versionEndExcluding": "3.26.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Roo Code is an AI-powered autonomous coding agent that lives in users\u0027 editors. Versions 3.25.23 and below contain a vulnerability where certain VS Code workspace configuration files (.code-workspace) are not protected in the same way as the .vscode folder. If the agent was configured to auto-approve file writes, an attacker able to influence prompts (for example via prompt injection) could cause malicious workspace settings or tasks to be written. These tasks could then be executed automatically when the workspace is reopened, resulting in arbitrary code execution. This issue is fixed in version 3.26.0."
}
],
"id": "CVE-2025-58372",
"lastModified": "2025-09-15T18:08:35.817",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-09-05T23:15:30.647",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/RooCodeInc/Roo-Code/commit/296edfc829a7c6efc8b5dbe09aa766a9aed79598"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/RooCodeInc/Roo-Code/releases/tag/v3.26.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-4pqh-4ggm-jfmm"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
},
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-09-05 23:15
Modified
2025-09-15 18:08
Severity ?
Summary
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions 3.26.6 and below, a Github workflow used unsanitized pull request metadata in a privileged context, allowing an attacker to craft malicious input and achieve Remote Code Execution (RCE) on the Actions runner. The workflow runs with broad permissions and access to repository secrets. It is possible for an attacker to execute arbitrary commands on the runner, push or modify code in the repository, access secrets, and create malicious releases or packages, resulting in a complete compromise of the repository and its associated services. This is fixed in version 3.26.7.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:roocode:roo_code:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4BCA2678-F80F-4370-9C08-59C3FAA651DC",
"versionEndExcluding": "3.26.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Roo Code is an AI-powered autonomous coding agent that lives in users\u0027 editors. In versions 3.26.6 and below, a Github workflow used unsanitized pull request metadata in a privileged context, allowing an attacker to craft malicious input and achieve Remote Code Execution (RCE) on the Actions runner. The workflow runs with broad permissions and access to repository secrets. It is possible for an attacker to execute arbitrary commands on the runner, push or modify code in the repository, access secrets, and create malicious releases or packages, resulting in a complete compromise of the repository and its associated services. This is fixed in version 3.26.7."
}
],
"id": "CVE-2025-58371",
"lastModified": "2025-09-15T18:08:40.367",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-09-05T23:15:30.467",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/RooCodeInc/Roo-Code/commit/a0384f35d5ae3b7f66506cc62dda25d9bb673f49"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-xr6r-vj48-29f6"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-06-27 22:15
Modified
2025-09-15 13:47
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Roo Code is an AI-powered autonomous coding agent. Prior to version 3.20.3, there was an issue where the Roo Code agent's `search_files` tool did not respect the setting to disable reads outside of the VS Code workspace. This means that an attacker who was able to inject a prompt into the agent could potentially read a sensitive file and then write the information to a JSON schema. Users have the option to disable schema fetching in VS Code, but the feature is enabled by default. For users with this feature enabled, writing to the schema would trigger a network request without the user having a chance to deny. This issue is of moderate severity, since it requires the attacker to already be able to submit prompts to the agent. Version 3.20.3 fixed the issue where `search_files` did not respect the setting to limit it to the workspace. This reduces the scope of the damage if an attacker is able to take control of the agent through prompt injection or another vector.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:roocode:roo_code:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3364E69F-61DE-4327-BF5E-14162623BBDC",
"versionEndExcluding": "3.20.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Roo Code is an AI-powered autonomous coding agent. Prior to version 3.20.3, there was an issue where the Roo Code agent\u0027s `search_files` tool did not respect the setting to disable reads outside of the VS Code workspace. This means that an attacker who was able to inject a prompt into the agent could potentially read a sensitive file and then write the information to a JSON schema. Users have the option to disable schema fetching in VS Code, but the feature is enabled by default. For users with this feature enabled, writing to the schema would trigger a network request without the user having a chance to deny. This issue is of moderate severity, since it requires the attacker to already be able to submit prompts to the agent. Version 3.20.3 fixed the issue where `search_files` did not respect the setting to limit it to the workspace. This reduces the scope of the damage if an attacker is able to take control of the agent through prompt injection or another vector."
},
{
"lang": "es",
"value": "Roo Code es un agente de codificaci\u00f3n aut\u00f3nomo basado en IA. Antes de la versi\u00f3n 3.20.3, exist\u00eda un problema por el cual la herramienta `search_files` del agente Roo Code no respetaba la configuraci\u00f3n para deshabilitar las lecturas fuera del espacio de trabajo de VS Code. Esto significa que un atacante que pudiera inyectar un mensaje en el agente podr\u00eda leer un archivo confidencial y luego escribir la informaci\u00f3n en un esquema JSON. Los usuarios tienen la opci\u00f3n de deshabilitar la obtenci\u00f3n del esquema en VS Code, pero la funci\u00f3n est\u00e1 habilitada por defecto. Para los usuarios con esta funci\u00f3n habilitada, escribir en el esquema activar\u00eda una solicitud de red sin que el usuario pudiera denegarla. Este problema es de gravedad moderada, ya que requiere que el atacante ya pueda enviar mensajes al agente. La versi\u00f3n 3.20.3 solucion\u00f3 el problema por el cual `search_files` no respetaba la configuraci\u00f3n para limitarlo al espacio de trabajo. Esto reduce el alcance del da\u00f1o si un atacante logra tomar el control del agente mediante la inyecci\u00f3n de mensajes u otro vector."
}
],
"id": "CVE-2025-53097",
"lastModified": "2025-09-15T13:47:38.837",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-06-27T22:15:25.803",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/RooCodeInc/Roo-Code/commit/10b2fb32ed047bbd7b8d10ef185c1ed345efcc92"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/RooCodeInc/Roo-Code/commit/7d0b22f9e659dc6c26aab0bacbea27874986e772"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-wr2q-46pg-f228"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-07-07 18:15
Modified
2025-09-15 18:07
Severity ?
Summary
Roo Code is an AI-powered autonomous coding agent. Prior to 3.22.6, if the victim had "Write" auto-approved, an attacker with the ability to submit prompts to the agent could write to VS Code settings files and trigger code execution. There were multiple ways to achieve that. One example is with the php.validate.executablePath setting which lets you set the path for the php executable for syntax validation. The attacker could have written the path to an arbitrary command there and then created a php file to trigger it. This vulnerability is fixed in 3.22.6.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:roocode:roo_code:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DF0738FD-1069-4614-A4B9-3C45E7312B41",
"versionEndExcluding": "3.22.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Roo Code is an AI-powered autonomous coding agent. Prior to 3.22.6, if the victim had \"Write\" auto-approved, an attacker with the ability to submit prompts to the agent could write to VS Code settings files and trigger code execution. There were multiple ways to achieve that. One example is with the php.validate.executablePath setting which lets you set the path for the php executable for syntax validation. The attacker could have written the path to an arbitrary command there and then created a php file to trigger it. This vulnerability is fixed in 3.22.6."
},
{
"lang": "es",
"value": "Roo Code es un agente de codificaci\u00f3n aut\u00f3nomo basado en IA. Antes de la versi\u00f3n 3.22.6, si la v\u00edctima ten\u00eda la opci\u00f3n \"Escribir\" aprobada autom\u00e1ticamente, un atacante con la capacidad de enviar solicitudes al agente pod\u00eda escribir en los archivos de configuraci\u00f3n de VS Code y activar la ejecuci\u00f3n del c\u00f3digo. Hab\u00eda varias maneras de lograrlo. Un ejemplo es la configuraci\u00f3n php.validate.executablePath, que permite establecer la ruta del ejecutable PHP para la validaci\u00f3n de sintaxis. El atacante podr\u00eda haber escrito la ruta a un comando arbitrario y luego haber creado un archivo PHP para activarlo. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 3.22.6."
}
],
"id": "CVE-2025-53536",
"lastModified": "2025-09-15T18:07:43.553",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-07-07T18:15:28.980",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/RooCodeInc/Roo-Code/commit/1be6fce1a6864ae63e8160b0666db2c647f2dbba"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/RooCodeInc/Roo-Code/commit/3993406ebdc0553a32ef391a799a4fb124930a1c"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-3765-5vjr-qjgm"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-552"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-07-23 21:15
Modified
2025-09-11 15:56
Severity ?
Summary
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions 3.23.18 and below, RooCode does not validate line breaks (\n) in its command input, allowing potential bypass of the allow-list mechanism. The project appears to lack parsing or validation logic to prevent multi-line command injection. When commands are evaluated for execution, only the first line or token may be considered, enabling attackers to smuggle additional commands in subsequent lines. This is fixed in version 3.23.19.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:roocode:roo_code:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AB19EFC9-FDEB-4551-A9D4-944FF0FB3BD0",
"versionEndExcluding": "3.23.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Roo Code is an AI-powered autonomous coding agent that lives in users\u0027 editors. In versions 3.23.18 and below, RooCode does not validate line breaks (\\n) in its command input, allowing potential bypass of the allow-list mechanism. The project appears to lack parsing or validation logic to prevent multi-line command injection. When commands are evaluated for execution, only the first line or token may be considered, enabling attackers to smuggle additional commands in subsequent lines. This is fixed in version 3.23.19."
},
{
"lang": "es",
"value": "Roo Code es un agente de codificaci\u00f3n aut\u00f3nomo basado en IA que reside en los editores de los usuarios. En las versiones 3.23.18 y anteriores, RooCode no valida los saltos de l\u00ednea (\\n) en la entrada de comandos, lo que permite eludir el mecanismo de lista blanca. El proyecto parece carecer de l\u00f3gica de an\u00e1lisis o validaci\u00f3n para evitar la inyecci\u00f3n de comandos multil\u00ednea. Al evaluar la ejecuci\u00f3n de los comandos, solo se considera la primera l\u00ednea o token, lo que permite a los atacantes introducir comandos adicionales en l\u00edneas posteriores. Esto se solucion\u00f3 en la versi\u00f3n 3.23.19."
}
],
"id": "CVE-2025-54377",
"lastModified": "2025-09-11T15:56:35.037",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-07-23T21:15:27.060",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/RooCodeInc/Roo-Code/commit/9d434c2db9b20eb5c78b698cb2b0037cd2074534"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-p278-52x9-cffx"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-p278-52x9-cffx"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-09-05 23:15
Modified
2025-09-15 18:08
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions 3.25.23 and below contain a vulnerability where .rooignore protections could be bypassed using symlinks. This allows an attacker with write access to the workspace to trick the extension into reading files that were intended to be excluded. As a result, sensitive files such as .env or configuration files could be exposed. An attacker able to modify files within the workspace could gain unauthorized access to sensitive information by bypassing .rooignore rules. This could include secrets, configuration details, or other excluded project data. This is fixed in version 3.26.0.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:roocode:roo_code:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FF1ECC76-9F04-425B-9FDA-045A8B21F5E1",
"versionEndExcluding": "3.26.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Roo Code is an AI-powered autonomous coding agent that lives in users\u0027 editors. Versions 3.25.23 and below contain a vulnerability where .rooignore protections could be bypassed using symlinks. This allows an attacker with write access to the workspace to trick the extension into reading files that were intended to be excluded. As a result, sensitive files such as .env or configuration files could be exposed. An attacker able to modify files within the workspace could gain unauthorized access to sensitive information by bypassing .rooignore rules. This could include secrets, configuration details, or other excluded project data. This is fixed in version 3.26.0."
}
],
"id": "CVE-2025-58373",
"lastModified": "2025-09-15T18:08:02.383",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-09-05T23:15:30.830",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/RooCodeInc/Roo-Code/pull/7405"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/RooCodeInc/Roo-Code/releases/tag/v3.26.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-p76r-7mc3-qh7c"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-59"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
CVE-2025-53097 (GCVE-0-2025-53097)
Vulnerability from cvelistv5
Published
2025-06-27 21:43
Modified
2025-06-30 16:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Summary
Roo Code is an AI-powered autonomous coding agent. Prior to version 3.20.3, there was an issue where the Roo Code agent's `search_files` tool did not respect the setting to disable reads outside of the VS Code workspace. This means that an attacker who was able to inject a prompt into the agent could potentially read a sensitive file and then write the information to a JSON schema. Users have the option to disable schema fetching in VS Code, but the feature is enabled by default. For users with this feature enabled, writing to the schema would trigger a network request without the user having a chance to deny. This issue is of moderate severity, since it requires the attacker to already be able to submit prompts to the agent. Version 3.20.3 fixed the issue where `search_files` did not respect the setting to limit it to the workspace. This reduces the scope of the damage if an attacker is able to take control of the agent through prompt injection or another vector.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RooCodeInc | Roo-Code |
Version: < 3.20.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53097",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-30T16:22:34.112486Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-30T16:22:40.734Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Roo-Code",
"vendor": "RooCodeInc",
"versions": [
{
"status": "affected",
"version": "\u003c 3.20.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Roo Code is an AI-powered autonomous coding agent. Prior to version 3.20.3, there was an issue where the Roo Code agent\u0027s `search_files` tool did not respect the setting to disable reads outside of the VS Code workspace. This means that an attacker who was able to inject a prompt into the agent could potentially read a sensitive file and then write the information to a JSON schema. Users have the option to disable schema fetching in VS Code, but the feature is enabled by default. For users with this feature enabled, writing to the schema would trigger a network request without the user having a chance to deny. This issue is of moderate severity, since it requires the attacker to already be able to submit prompts to the agent. Version 3.20.3 fixed the issue where `search_files` did not respect the setting to limit it to the workspace. This reduces the scope of the damage if an attacker is able to take control of the agent through prompt injection or another vector."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-27T21:43:31.678Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-wr2q-46pg-f228",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-wr2q-46pg-f228"
},
{
"name": "https://github.com/RooCodeInc/Roo-Code/commit/10b2fb32ed047bbd7b8d10ef185c1ed345efcc92",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RooCodeInc/Roo-Code/commit/10b2fb32ed047bbd7b8d10ef185c1ed345efcc92"
},
{
"name": "https://github.com/RooCodeInc/Roo-Code/commit/7d0b22f9e659dc6c26aab0bacbea27874986e772",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RooCodeInc/Roo-Code/commit/7d0b22f9e659dc6c26aab0bacbea27874986e772"
}
],
"source": {
"advisory": "GHSA-wr2q-46pg-f228",
"discovery": "UNKNOWN"
},
"title": "Roo Code extension vulnerable to Potential Information Leakage via JSON Schema"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53097",
"datePublished": "2025-06-27T21:43:31.678Z",
"dateReserved": "2025-06-25T13:41:23.086Z",
"dateUpdated": "2025-06-30T16:22:40.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54377 (GCVE-0-2025-54377)
Vulnerability from cvelistv5
Published
2025-07-23 20:36
Modified
2025-07-23 20:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Summary
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions 3.23.18 and below, RooCode does not validate line breaks (\n) in its command input, allowing potential bypass of the allow-list mechanism. The project appears to lack parsing or validation logic to prevent multi-line command injection. When commands are evaluated for execution, only the first line or token may be considered, enabling attackers to smuggle additional commands in subsequent lines. This is fixed in version 3.23.19.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-p278-52x9-cffx | x_refsource_CONFIRM | |
| https://github.com/RooCodeInc/Roo-Code/commit/9d434c2db9b20eb5c78b698cb2b0037cd2074534 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RooCodeInc | Roo-Code |
Version: < 3.23.19 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54377",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-23T20:48:19.792562Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-23T20:48:31.557Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-p278-52x9-cffx"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Roo-Code",
"vendor": "RooCodeInc",
"versions": [
{
"status": "affected",
"version": "\u003c 3.23.19"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Roo Code is an AI-powered autonomous coding agent that lives in users\u0027 editors. In versions 3.23.18 and below, RooCode does not validate line breaks (\\n) in its command input, allowing potential bypass of the allow-list mechanism. The project appears to lack parsing or validation logic to prevent multi-line command injection. When commands are evaluated for execution, only the first line or token may be considered, enabling attackers to smuggle additional commands in subsequent lines. This is fixed in version 3.23.19."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-23T20:36:01.878Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-p278-52x9-cffx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-p278-52x9-cffx"
},
{
"name": "https://github.com/RooCodeInc/Roo-Code/commit/9d434c2db9b20eb5c78b698cb2b0037cd2074534",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RooCodeInc/Roo-Code/commit/9d434c2db9b20eb5c78b698cb2b0037cd2074534"
}
],
"source": {
"advisory": "GHSA-p278-52x9-cffx",
"discovery": "UNKNOWN"
},
"title": "Roo Code Lacks Line Break Validation in its Command Execution Tool"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54377",
"datePublished": "2025-07-23T20:36:01.878Z",
"dateReserved": "2025-07-21T16:12:20.733Z",
"dateUpdated": "2025-07-23T20:48:31.557Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-58374 (GCVE-0-2025-58374)
Vulnerability from cvelistv5
Published
2025-09-06 02:19
Modified
2025-09-08 14:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Summary
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions 3.25.23 and below contain a default list of allowed commands that do not need manual approval if auto-approve is enabled, and npm install is included in that list. Because npm install executes lifecycle scripts, if a repository’s package.json file contains a malicious postinstall script, it would be executed automatically without user approval. This means that enabling auto-approved commands and opening a malicious repo could result in arbitrary code execution. This is fixed in version 3.26.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-c292-qxq4-4p2v | x_refsource_CONFIRM | |
| https://github.com/RooCodeInc/Roo-Code/pull/7390/files | x_refsource_MISC | |
| https://github.com/RooCodeInc/Roo-Code/releases/tag/v3.26.0 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RooCodeInc | Roo-Code |
Version: < 3.26.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58374",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-08T13:53:41.487362Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T14:05:33.807Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Roo-Code",
"vendor": "RooCodeInc",
"versions": [
{
"status": "affected",
"version": "\u003c 3.26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Roo Code is an AI-powered autonomous coding agent that lives in users\u0027 editors. Versions 3.25.23 and below contain a default list of allowed commands that do not need manual approval if auto-approve is enabled, and npm install is included in that list. Because npm install executes lifecycle scripts, if a repository\u2019s package.json file contains a malicious postinstall script, it would be executed automatically without user approval. This means that enabling auto-approved commands and opening a malicious repo could result in arbitrary code execution. This is fixed in version 3.26.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-06T02:19:40.112Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-c292-qxq4-4p2v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-c292-qxq4-4p2v"
},
{
"name": "https://github.com/RooCodeInc/Roo-Code/pull/7390/files",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RooCodeInc/Roo-Code/pull/7390/files"
},
{
"name": "https://github.com/RooCodeInc/Roo-Code/releases/tag/v3.26.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RooCodeInc/Roo-Code/releases/tag/v3.26.0"
}
],
"source": {
"advisory": "GHSA-c292-qxq4-4p2v",
"discovery": "UNKNOWN"
},
"title": "Roo Code: Auto-approve allows npm install execution of malicious postinstall scripts"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-58374",
"datePublished": "2025-09-06T02:19:40.112Z",
"dateReserved": "2025-08-29T16:19:59.012Z",
"dateUpdated": "2025-09-08T14:05:33.807Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-58371 (GCVE-0-2025-58371)
Vulnerability from cvelistv5
Published
2025-09-05 22:42
Modified
2025-09-08 20:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Summary
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions 3.26.6 and below, a Github workflow used unsanitized pull request metadata in a privileged context, allowing an attacker to craft malicious input and achieve Remote Code Execution (RCE) on the Actions runner. The workflow runs with broad permissions and access to repository secrets. It is possible for an attacker to execute arbitrary commands on the runner, push or modify code in the repository, access secrets, and create malicious releases or packages, resulting in a complete compromise of the repository and its associated services. This is fixed in version 3.26.7.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-xr6r-vj48-29f6 | x_refsource_CONFIRM | |
| https://github.com/RooCodeInc/Roo-Code/commit/a0384f35d5ae3b7f66506cc62dda25d9bb673f49 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RooCodeInc | Roo-Code |
Version: < 3.26.7 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58371",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-08T20:10:50.976759Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T20:10:59.998Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Roo-Code",
"vendor": "RooCodeInc",
"versions": [
{
"status": "affected",
"version": "\u003c 3.26.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Roo Code is an AI-powered autonomous coding agent that lives in users\u0027 editors. In versions 3.26.6 and below, a Github workflow used unsanitized pull request metadata in a privileged context, allowing an attacker to craft malicious input and achieve Remote Code Execution (RCE) on the Actions runner. The workflow runs with broad permissions and access to repository secrets. It is possible for an attacker to execute arbitrary commands on the runner, push or modify code in the repository, access secrets, and create malicious releases or packages, resulting in a complete compromise of the repository and its associated services. This is fixed in version 3.26.7."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T22:42:59.876Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-xr6r-vj48-29f6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-xr6r-vj48-29f6"
},
{
"name": "https://github.com/RooCodeInc/Roo-Code/commit/a0384f35d5ae3b7f66506cc62dda25d9bb673f49",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RooCodeInc/Roo-Code/commit/a0384f35d5ae3b7f66506cc62dda25d9bb673f49"
}
],
"source": {
"advisory": "GHSA-xr6r-vj48-29f6",
"discovery": "UNKNOWN"
},
"title": "Roo Code is vulnerable to command injection via GitHub actions workflow"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-58371",
"datePublished": "2025-09-05T22:42:59.876Z",
"dateReserved": "2025-08-29T16:19:59.012Z",
"dateUpdated": "2025-09-08T20:10:59.998Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53536 (GCVE-0-2025-53536)
Vulnerability from cvelistv5
Published
2025-07-07 17:57
Modified
2025-07-08 13:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-552 - Files or Directories Accessible to External Parties
Summary
Roo Code is an AI-powered autonomous coding agent. Prior to 3.22.6, if the victim had "Write" auto-approved, an attacker with the ability to submit prompts to the agent could write to VS Code settings files and trigger code execution. There were multiple ways to achieve that. One example is with the php.validate.executablePath setting which lets you set the path for the php executable for syntax validation. The attacker could have written the path to an arbitrary command there and then created a php file to trigger it. This vulnerability is fixed in 3.22.6.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RooCodeInc | Roo-Code |
Version: < 3.22.6 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53536",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-08T13:29:26.664118Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T13:31:24.035Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Roo-Code",
"vendor": "RooCodeInc",
"versions": [
{
"status": "affected",
"version": "\u003c 3.22.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Roo Code is an AI-powered autonomous coding agent. Prior to 3.22.6, if the victim had \"Write\" auto-approved, an attacker with the ability to submit prompts to the agent could write to VS Code settings files and trigger code execution. There were multiple ways to achieve that. One example is with the php.validate.executablePath setting which lets you set the path for the php executable for syntax validation. The attacker could have written the path to an arbitrary command there and then created a php file to trigger it. This vulnerability is fixed in 3.22.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552: Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T17:57:36.835Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-3765-5vjr-qjgm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-3765-5vjr-qjgm"
},
{
"name": "https://github.com/RooCodeInc/Roo-Code/commit/1be6fce1a6864ae63e8160b0666db2c647f2dbba",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RooCodeInc/Roo-Code/commit/1be6fce1a6864ae63e8160b0666db2c647f2dbba"
},
{
"name": "https://github.com/RooCodeInc/Roo-Code/commit/3993406ebdc0553a32ef391a799a4fb124930a1c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RooCodeInc/Roo-Code/commit/3993406ebdc0553a32ef391a799a4fb124930a1c"
}
],
"source": {
"advisory": "GHSA-3765-5vjr-qjgm",
"discovery": "UNKNOWN"
},
"title": "Roo Code allows Potential Remote Code Execution via .vscode/settings.json"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53536",
"datePublished": "2025-07-07T17:57:36.835Z",
"dateReserved": "2025-07-02T15:15:11.515Z",
"dateUpdated": "2025-07-08T13:31:24.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-58370 (GCVE-0-2025-58370)
Vulnerability from cvelistv5
Published
2025-09-05 22:09
Modified
2025-09-08 20:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Summary
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions below 3.26.0 contain a vulnerability in the command parsing logic where the Bash parameter expansion and indirect reference were not handled correctly. If the agent was configured to auto-approve execution of certain commands, an attacker able to influence prompts could abuse this weakness to execute additional arbitrary commands alongside the intended one. This is fixed in version 3.26.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-2rm5-cvcm-7592 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RooCodeInc | Roo-Code |
Version: < 3.26.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58370",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-08T20:10:04.725591Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T20:10:12.235Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Roo-Code",
"vendor": "RooCodeInc",
"versions": [
{
"status": "affected",
"version": "\u003c 3.26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Roo Code is an AI-powered autonomous coding agent that lives in users\u0027 editors. Versions below 3.26.0 contain a vulnerability in the command parsing logic where the Bash parameter expansion and indirect reference were not handled correctly. If the agent was configured to auto-approve execution of certain commands, an attacker able to influence prompts could abuse this weakness to execute additional arbitrary commands alongside the intended one. This is fixed in version 3.26.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T22:09:52.492Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-2rm5-cvcm-7592",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-2rm5-cvcm-7592"
}
],
"source": {
"advisory": "GHSA-2rm5-cvcm-7592",
"discovery": "UNKNOWN"
},
"title": "Roo Code: Potential Remote Code Execution via Bash Parameter Expansion and Indirect Reference"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-58370",
"datePublished": "2025-09-05T22:09:04.786Z",
"dateReserved": "2025-08-29T16:19:59.012Z",
"dateUpdated": "2025-09-08T20:10:12.235Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53098 (GCVE-0-2025-53098)
Vulnerability from cvelistv5
Published
2025-06-27 21:43
Modified
2025-07-03 14:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Summary
Roo Code is an AI-powered autonomous coding agent. The project-specific MCP configuration for the Roo Code agent is stored in the `.roo/mcp.json` file within the VS Code workspace. Because the MCP configuration format allows for execution of arbitrary commands, prior to version 3.20.3, it would have been possible for an attacker with access to craft a prompt to ask the agent to write a malicious command to the MCP configuration file. If the user had opted-in to auto-approving file writes within the project, this would have led to arbitrary command execution. This issue is of moderate severity, since it requires the attacker to already be able to submit prompts to the agent (for instance through a prompt injection attack), for the user to have MCP enabled (on by default), and for the user to have enabled auto-approved file writes (off by default). Version 3.20.3 fixes the issue by adding an additional layer of opt-in configuration for auto-approving writing to Roo's configuration files, including all files within the `.roo/` folder.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-5x8h-m52g-5v54 | x_refsource_CONFIRM | |
| https://github.com/RooCodeInc/Roo-Code/commit/7d0b22f9e659dc6c26aab0bacbea27874986e772 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RooCodeInc | Roo-Code |
Version: < 3.20.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53098",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-03T14:27:45.502230Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-03T14:27:54.220Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Roo-Code",
"vendor": "RooCodeInc",
"versions": [
{
"status": "affected",
"version": "\u003c 3.20.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Roo Code is an AI-powered autonomous coding agent. The project-specific MCP configuration for the Roo Code agent is stored in the `.roo/mcp.json` file within the VS Code workspace. Because the MCP configuration format allows for execution of arbitrary commands, prior to version 3.20.3, it would have been possible for an attacker with access to craft a prompt to ask the agent to write a malicious command to the MCP configuration file. If the user had opted-in to auto-approving file writes within the project, this would have led to arbitrary command execution. This issue is of moderate severity, since it requires the attacker to already be able to submit prompts to the agent (for instance through a prompt injection attack), for the user to have MCP enabled (on by default), and for the user to have enabled auto-approved file writes (off by default). Version 3.20.3 fixes the issue by adding an additional layer of opt-in configuration for auto-approving writing to Roo\u0027s configuration files, including all files within the `.roo/` folder."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T13:59:57.913Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-5x8h-m52g-5v54",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-5x8h-m52g-5v54"
},
{
"name": "https://github.com/RooCodeInc/Roo-Code/commit/7d0b22f9e659dc6c26aab0bacbea27874986e772",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RooCodeInc/Roo-Code/commit/7d0b22f9e659dc6c26aab0bacbea27874986e772"
}
],
"source": {
"advisory": "GHSA-5x8h-m52g-5v54",
"discovery": "UNKNOWN"
},
"title": "Roo Code Vulnerable to Potential Remote Code Execution via Model Context Protocol"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53098",
"datePublished": "2025-06-27T21:43:35.031Z",
"dateReserved": "2025-06-25T13:41:23.086Z",
"dateUpdated": "2025-07-03T14:27:54.220Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-58372 (GCVE-0-2025-58372)
Vulnerability from cvelistv5
Published
2025-09-05 22:51
Modified
2025-09-08 20:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions 3.25.23 and below contain a vulnerability where certain VS Code workspace configuration files (.code-workspace) are not protected in the same way as the .vscode folder. If the agent was configured to auto-approve file writes, an attacker able to influence prompts (for example via prompt injection) could cause malicious workspace settings or tasks to be written. These tasks could then be executed automatically when the workspace is reopened, resulting in arbitrary code execution. This issue is fixed in version 3.26.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-4pqh-4ggm-jfmm | x_refsource_CONFIRM | |
| https://github.com/RooCodeInc/Roo-Code/commit/296edfc829a7c6efc8b5dbe09aa766a9aed79598 | x_refsource_MISC | |
| https://github.com/RooCodeInc/Roo-Code/releases/tag/v3.26.0 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RooCodeInc | Roo-Code |
Version: < 3.26.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58372",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-08T20:11:31.387986Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T20:11:45.799Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Roo-Code",
"vendor": "RooCodeInc",
"versions": [
{
"status": "affected",
"version": "\u003c 3.26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Roo Code is an AI-powered autonomous coding agent that lives in users\u0027 editors. Versions 3.25.23 and below contain a vulnerability where certain VS Code workspace configuration files (.code-workspace) are not protected in the same way as the .vscode folder. If the agent was configured to auto-approve file writes, an attacker able to influence prompts (for example via prompt injection) could cause malicious workspace settings or tasks to be written. These tasks could then be executed automatically when the workspace is reopened, resulting in arbitrary code execution. This issue is fixed in version 3.26.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T22:51:01.725Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-4pqh-4ggm-jfmm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-4pqh-4ggm-jfmm"
},
{
"name": "https://github.com/RooCodeInc/Roo-Code/commit/296edfc829a7c6efc8b5dbe09aa766a9aed79598",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RooCodeInc/Roo-Code/commit/296edfc829a7c6efc8b5dbe09aa766a9aed79598"
},
{
"name": "https://github.com/RooCodeInc/Roo-Code/releases/tag/v3.26.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RooCodeInc/Roo-Code/releases/tag/v3.26.0"
}
],
"source": {
"advisory": "GHSA-4pqh-4ggm-jfmm",
"discovery": "UNKNOWN"
},
"title": "Roo Code: Potential Remote Code Execution via .code-workspace"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-58372",
"datePublished": "2025-09-05T22:51:01.725Z",
"dateReserved": "2025-08-29T16:19:59.012Z",
"dateUpdated": "2025-09-08T20:11:45.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-58373 (GCVE-0-2025-58373)
Vulnerability from cvelistv5
Published
2025-09-05 22:55
Modified
2025-09-08 20:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Summary
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions 3.25.23 and below contain a vulnerability where .rooignore protections could be bypassed using symlinks. This allows an attacker with write access to the workspace to trick the extension into reading files that were intended to be excluded. As a result, sensitive files such as .env or configuration files could be exposed. An attacker able to modify files within the workspace could gain unauthorized access to sensitive information by bypassing .rooignore rules. This could include secrets, configuration details, or other excluded project data. This is fixed in version 3.26.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-p76r-7mc3-qh7c | x_refsource_CONFIRM | |
| https://github.com/RooCodeInc/Roo-Code/pull/7405 | x_refsource_MISC | |
| https://github.com/RooCodeInc/Roo-Code/releases/tag/v3.26.0 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RooCodeInc | Roo-Code |
Version: < 3.26.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58373",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-08T20:12:34.695920Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T20:12:43.405Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Roo-Code",
"vendor": "RooCodeInc",
"versions": [
{
"status": "affected",
"version": "\u003c 3.26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Roo Code is an AI-powered autonomous coding agent that lives in users\u0027 editors. Versions 3.25.23 and below contain a vulnerability where .rooignore protections could be bypassed using symlinks. This allows an attacker with write access to the workspace to trick the extension into reading files that were intended to be excluded. As a result, sensitive files such as .env or configuration files could be exposed. An attacker able to modify files within the workspace could gain unauthorized access to sensitive information by bypassing .rooignore rules. This could include secrets, configuration details, or other excluded project data. This is fixed in version 3.26.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T22:55:54.546Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-p76r-7mc3-qh7c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-p76r-7mc3-qh7c"
},
{
"name": "https://github.com/RooCodeInc/Roo-Code/pull/7405",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RooCodeInc/Roo-Code/pull/7405"
},
{
"name": "https://github.com/RooCodeInc/Roo-Code/releases/tag/v3.26.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RooCodeInc/Roo-Code/releases/tag/v3.26.0"
}
],
"source": {
"advisory": "GHSA-p76r-7mc3-qh7c",
"discovery": "UNKNOWN"
},
"title": "Roo Code: Symlink-bypass of .rooignore can lead to unintended file disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-58373",
"datePublished": "2025-09-05T22:55:54.546Z",
"dateReserved": "2025-08-29T16:19:59.012Z",
"dateUpdated": "2025-09-08T20:12:43.405Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}