CVE-2025-57771 is a high-severity OS command injection vulnerability affecting Roo-Code, an AI-powered autonomous coding agent integrated into users' code editors. The vulnerability exists in versions prior to 3.25.5 due to improper neutralization of special elements in the command parsing logic, specifically mishandling process substitution and single ampersand characters. When users enable the auto-approved execution feature for commands (which is disabled by default), an attacker who can submit crafted prompts to the agent can inject arbitrary OS commands that execute alongside intended commands such as 'ls'. This flaw stems from inadequate sanitization of input commands, classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command). Exploitation requires no privileges or user interaction beyond the attacker’s ability to submit prompts and the user enabling auto-approved command execution. Successful exploitation could lead to arbitrary code execution with the privileges of the user running Roo-Code, potentially compromising confidentiality, integrity, and availability of the affected system. The vulnerability has a CVSS v3.1 base score of 8.1, indicating high severity, with network attack vector, high attack complexity, no privileges required, and no user interaction needed. The issue was addressed in version 3.25.5 of Roo-Code. No known exploits are currently reported in the wild.

For European organizations, the impact of this vulnerability could be significant, especially for development teams or enterprises relying on Roo-Code for coding automation within their editors. Exploitation could allow attackers to execute arbitrary commands on developer machines or build servers, potentially leading to source code theft, insertion of malicious code, or disruption of development pipelines. This could result in intellectual property loss, supply chain compromise, and operational downtime. Given the nature of the vulnerability, attackers could pivot from compromised developer environments to broader enterprise networks. Confidentiality is at high risk due to potential data exfiltration, integrity is threatened by unauthorized code or configuration changes, and availability could be impacted if critical systems are disrupted. The requirement for the auto-approved command execution feature to be enabled limits the attack surface but does not eliminate risk, particularly in organizations seeking automation efficiency without fully understanding security implications.

European organizations should immediately verify the Roo-Code versions deployed and upgrade all instances to version 3.25.5 or later, where the vulnerability is fixed. Until upgrades are completed, disable the auto-approved command execution feature to prevent automatic execution of potentially malicious commands. Implement strict input validation and sanitization on any user-submitted prompts or commands interacting with Roo-Code. Restrict access to Roo-Code agents to trusted users and networks to minimize the risk of attacker prompt submission. Monitor logs for unusual command executions or prompt submissions that could indicate exploitation attempts. Incorporate Roo-Code usage policies into security awareness training, emphasizing the risks of enabling auto-approved execution. Additionally, consider isolating development environments or using containerization to limit the impact of any potential compromise. Regularly audit and update third-party tools integrated into development workflows to ensure timely patching of vulnerabilities.