CVE-2025-53097: CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in RooCodeInc Roo-Code
Roo Code is an AI-powered autonomous coding agent. Prior to version 3.20.3, there was an issue where the Roo Code agent's `search_files` tool did not respect the setting to disable reads outside of the VS Code workspace. This means that an attacker who was able to inject a prompt into the agent could potentially read a sensitive file and then write the information to a JSON schema. Users have the option to disable schema fetching in VS Code, but the feature is enabled by default. For users with this feature enabled, writing to the schema would trigger a network request without the user having a chance to deny. This issue is of moderate severity, since it requires the attacker to already be able to submit prompts to the agent. Version 3.20.3 fixed the issue where `search_files` did not respect the setting to limit it to the workspace. This reduces the scope of the damage if an attacker is able to take control of the agent through prompt injection or another vector.
AI Analysis
Technical Summary
CVE-2025-53097 is a medium-severity vulnerability affecting versions of RooCodeInc's AI-powered autonomous coding agent, Roo-Code, prior to version 3.20.3. The vulnerability stems from improper neutralization of special elements in output used by a downstream component, specifically categorized under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component, commonly known as Injection). The root cause is that the `search_files` tool within the Roo-Code agent did not properly respect the configuration setting designed to restrict file reads to within the Visual Studio Code (VS Code) workspace. This misconfiguration allows an attacker who can inject malicious prompts into the agent to potentially read sensitive files outside the intended workspace boundary. The attacker could then write the extracted sensitive information into a JSON schema. Since VS Code users have schema fetching enabled by default, this action would trigger an automatic network request to fetch the schema without user intervention or consent, potentially leaking sensitive data externally. The vulnerability requires the attacker to already have the capability to submit crafted prompts to the agent, which limits the attack surface to scenarios where prompt injection or similar vectors are feasible. The fix introduced in version 3.20.3 ensures that the `search_files` tool respects the workspace boundary setting, thereby reducing the scope of unauthorized file access and mitigating the risk of sensitive data exfiltration through schema fetching. The CVSS v3.1 base score is 5.9, reflecting a medium severity level, with a network attack vector but requiring high attack complexity and no privileges or user interaction. The vulnerability impacts confidentiality but not integrity or availability, and no known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations using Roo-Code versions prior to 3.20.3, this vulnerability poses a moderate risk primarily to confidentiality. If an attacker can inject malicious prompts—potentially via compromised development environments, insider threats, or supply chain attacks—they could read sensitive files outside the intended workspace and exfiltrate data via network requests triggered by schema fetching in VS Code. This could lead to leakage of proprietary source code, credentials, or other confidential information. The impact is heightened in organizations with strict data protection regulations such as GDPR, where unauthorized data disclosure can result in regulatory penalties and reputational damage. However, the requirement for prompt injection limits the likelihood of exploitation, and the absence of known exploits reduces immediate risk. The vulnerability does not affect system integrity or availability, so operational disruption is unlikely. Nonetheless, organizations relying heavily on Roo-Code for autonomous coding assistance should consider this a significant confidentiality risk, especially in sectors like finance, healthcare, and critical infrastructure where sensitive code and data are prevalent.
Mitigation Recommendations
European organizations should immediately upgrade Roo-Code to version 3.20.3 or later to ensure the `search_files` tool respects workspace boundaries and mitigates unauthorized file reads. Until the upgrade is applied, organizations should consider disabling schema fetching in VS Code to prevent automatic network requests that could leak data. Additionally, organizations should audit and restrict access to the Roo-Code agent, ensuring only trusted users can submit prompts, thereby reducing the risk of prompt injection. Implementing monitoring for unusual network requests originating from development environments can help detect potential exploitation attempts. Security teams should also review and harden the supply chain and development environment security to prevent attackers from injecting malicious prompts. Finally, educating developers about the risks of prompt injection and enforcing strict input validation or sanitization in any custom integrations with Roo-Code can further reduce exposure.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Belgium
CVE-2025-53097: CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in RooCodeInc Roo-Code
Description
Roo Code is an AI-powered autonomous coding agent. Prior to version 3.20.3, there was an issue where the Roo Code agent's `search_files` tool did not respect the setting to disable reads outside of the VS Code workspace. This means that an attacker who was able to inject a prompt into the agent could potentially read a sensitive file and then write the information to a JSON schema. Users have the option to disable schema fetching in VS Code, but the feature is enabled by default. For users with this feature enabled, writing to the schema would trigger a network request without the user having a chance to deny. This issue is of moderate severity, since it requires the attacker to already be able to submit prompts to the agent. Version 3.20.3 fixed the issue where `search_files` did not respect the setting to limit it to the workspace. This reduces the scope of the damage if an attacker is able to take control of the agent through prompt injection or another vector.
AI-Powered Analysis
Technical Analysis
CVE-2025-53097 is a medium-severity vulnerability affecting versions of RooCodeInc's AI-powered autonomous coding agent, Roo-Code, prior to version 3.20.3. The vulnerability stems from improper neutralization of special elements in output used by a downstream component, specifically categorized under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component, commonly known as Injection). The root cause is that the `search_files` tool within the Roo-Code agent did not properly respect the configuration setting designed to restrict file reads to within the Visual Studio Code (VS Code) workspace. This misconfiguration allows an attacker who can inject malicious prompts into the agent to potentially read sensitive files outside the intended workspace boundary. The attacker could then write the extracted sensitive information into a JSON schema. Since VS Code users have schema fetching enabled by default, this action would trigger an automatic network request to fetch the schema without user intervention or consent, potentially leaking sensitive data externally. The vulnerability requires the attacker to already have the capability to submit crafted prompts to the agent, which limits the attack surface to scenarios where prompt injection or similar vectors are feasible. The fix introduced in version 3.20.3 ensures that the `search_files` tool respects the workspace boundary setting, thereby reducing the scope of unauthorized file access and mitigating the risk of sensitive data exfiltration through schema fetching. The CVSS v3.1 base score is 5.9, reflecting a medium severity level, with a network attack vector but requiring high attack complexity and no privileges or user interaction. The vulnerability impacts confidentiality but not integrity or availability, and no known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations using Roo-Code versions prior to 3.20.3, this vulnerability poses a moderate risk primarily to confidentiality. If an attacker can inject malicious prompts—potentially via compromised development environments, insider threats, or supply chain attacks—they could read sensitive files outside the intended workspace and exfiltrate data via network requests triggered by schema fetching in VS Code. This could lead to leakage of proprietary source code, credentials, or other confidential information. The impact is heightened in organizations with strict data protection regulations such as GDPR, where unauthorized data disclosure can result in regulatory penalties and reputational damage. However, the requirement for prompt injection limits the likelihood of exploitation, and the absence of known exploits reduces immediate risk. The vulnerability does not affect system integrity or availability, so operational disruption is unlikely. Nonetheless, organizations relying heavily on Roo-Code for autonomous coding assistance should consider this a significant confidentiality risk, especially in sectors like finance, healthcare, and critical infrastructure where sensitive code and data are prevalent.
Mitigation Recommendations
European organizations should immediately upgrade Roo-Code to version 3.20.3 or later to ensure the `search_files` tool respects workspace boundaries and mitigates unauthorized file reads. Until the upgrade is applied, organizations should consider disabling schema fetching in VS Code to prevent automatic network requests that could leak data. Additionally, organizations should audit and restrict access to the Roo-Code agent, ensuring only trusted users can submit prompts, thereby reducing the risk of prompt injection. Implementing monitoring for unusual network requests originating from development environments can help detect potential exploitation attempts. Security teams should also review and harden the supply chain and development environment security to prevent attackers from injecting malicious prompts. Finally, educating developers about the risks of prompt injection and enforcing strict input validation or sanitization in any custom integrations with Roo-Code can further reduce exposure.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-06-25T13:41:23.086Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 685f13136f40f0eb7266fd06
Added to database: 6/27/2025, 9:54:27 PM
Last enriched: 6/27/2025, 10:09:43 PM
Last updated: 7/30/2025, 1:20:20 PM
Views: 41
Related Threats
CVE-2025-8353: CWE-446: UI Discrepancy for Security Feature in Devolutions Server
UnknownCVE-2025-8312: CWE-833: Deadlock in Devolutions Server
UnknownCVE-2025-54656: CWE-117 Improper Output Neutralization for Logs in Apache Software Foundation Apache Struts Extras
MediumCVE-2025-50578: n/a
CriticalCVE-2025-8292: Use after free in Google Chrome
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.