Skip to main content

CVE-2025-53098: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') in RooCodeInc Roo-Code

High
VulnerabilityCVE-2025-53098cvecve-2025-53098cwe-77
Published: Fri Jun 27 2025 (06/27/2025, 21:43:35 UTC)
Source: CVE Database V5
Vendor/Project: RooCodeInc
Product: Roo-Code

Description

Roo Code is an AI-powered autonomous coding agent. The project-specific MCP configuration for the Roo Code agent is stored in the `.roo/mcp.json` file within the VS Code workspace. Because the MCP configuration format allows for execution of arbitrary commands, prior to version 3.20.3, it would have been possible for an attacker with access to craft a prompt to ask the agent to write a malicious command to the MCP configuration file. If the user had opted-in to auto-approving file writes within the project, this would have led to arbitrary command execution. This issue is of moderate severity, since it requires the attacker to already be able to submit prompts to the agent (for instance through a prompt injection attack), for the user to have MCP enabled (on by default), and for the user to have enabled auto-approved file writes (off by default). Version 3.20.3 fixes the issue by adding an additional layer of opt-in configuration for auto-approving writing to Roo's configuration files, including all files within the `.roo/` folder.

AI-Powered Analysis

AILast updated: 06/27/2025, 22:09:31 UTC

Technical Analysis

CVE-2025-53098 is a command injection vulnerability identified in RooCodeInc's AI-powered autonomous coding agent, Roo-Code, affecting versions prior to 3.20.3. The vulnerability arises from the way Roo-Code handles its project-specific MCP (Multi-Command Processor) configuration stored in the `.roo/mcp.json` file within the Visual Studio Code workspace. The MCP configuration format inherently allows execution of arbitrary commands. An attacker who can submit crafted prompts to the agent—potentially via prompt injection attacks—could manipulate the agent to write malicious commands into the MCP configuration file. If the user has MCP enabled (which is on by default) and has also opted into auto-approving file writes within the project (off by default), this malicious configuration would be executed, leading to arbitrary command execution on the user's system. This vulnerability is classified under CWE-77 (Improper Neutralization of Special Elements used in a Command, i.e., Command Injection). The risk is moderated by the requirement that the attacker must already have the ability to submit prompts to the agent and the user must have enabled auto-approved file writes, which is not the default setting. The issue was addressed in version 3.20.3 by introducing an additional opt-in configuration layer for auto-approving writes to Roo's configuration files, including all files within the `.roo/` folder, thereby preventing unauthorized command injection via configuration manipulation. The CVSS v3.1 base score is 5.9, reflecting a medium severity level, with network attack vector but requiring high attack complexity and no privileges or user interaction. The vulnerability impacts confidentiality due to potential unauthorized command execution but does not directly affect integrity or availability.

Potential Impact

For European organizations, the impact of this vulnerability can be significant in environments where Roo-Code is used for autonomous coding tasks, especially in development or CI/CD pipelines integrated with Visual Studio Code. Successful exploitation could allow attackers to execute arbitrary commands on developer machines or build servers, potentially leading to unauthorized access to sensitive source code, intellectual property theft, or lateral movement within internal networks. This could also result in the compromise of build artifacts or injection of malicious code into software products, affecting software supply chain integrity. Since the vulnerability requires the attacker to submit crafted prompts to the agent, it is more likely to be exploited in scenarios where the agent is exposed to untrusted inputs, such as shared development environments or automated systems processing external data. The moderate severity and specific conditions reduce the likelihood of widespread exploitation, but targeted attacks against organizations relying heavily on Roo-Code for automation could lead to data breaches or operational disruptions. Additionally, the ability to execute arbitrary commands without user interaction increases the stealth and potential impact of attacks, posing risks to confidentiality and possibly enabling further exploitation.

Mitigation Recommendations

To mitigate this vulnerability, European organizations should immediately upgrade Roo-Code to version 3.20.3 or later, which includes the necessary fixes to prevent unauthorized command execution via MCP configuration files. Organizations should audit their development environments to identify instances of Roo-Code and verify that auto-approved file writes are disabled unless explicitly required and securely configured. It is advisable to enforce strict access controls on the VS Code workspace directories, particularly the `.roo/` folder, to prevent unauthorized modification of configuration files. Implementing input validation and sanitization on any external inputs or prompts submitted to the Roo-Code agent can reduce the risk of prompt injection attacks. Additionally, organizations should monitor logs for unusual file write activities within the `.roo/` directory and anomalous command executions. Employing endpoint detection and response (EDR) solutions to detect suspicious command execution patterns can provide early warning of exploitation attempts. Finally, educating developers about the risks of enabling auto-approved file writes and the importance of cautious prompt crafting when interacting with AI coding agents will further reduce exposure.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-06-25T13:41:23.086Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 685f13136f40f0eb7266fd0b

Added to database: 6/27/2025, 9:54:27 PM

Last enriched: 6/27/2025, 10:09:31 PM

Last updated: 7/13/2025, 1:43:03 PM

Views: 23

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats