Roocodeinc Roo-Code vulnerabilities
11 known vulnerabilities affecting roocodeinc/roo-code.
Total CVEs
11
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH8MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2025-58371P2CRITICALCVSS 9.8fixed in 3.26.72025-09-05
CVE-2025-58371 [CRITICAL] CWE-78 CVE-2025-58371: Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions 3.26.6 a
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions 3.26.6 and below, a Github workflow used unsanitized pull request metadata in a privileged context, allowing an attacker to craft malicious input and achieve Remote Code Execution (RCE) on the Actions runner. The workflow runs with broad permissions and acce
nvd
CVE-2025-58372P2CRITICALCVSS 9.8fixed in 3.26.02025-09-05
CVE-2025-58372 [CRITICAL] CWE-94 CVE-2025-58372: Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions 3.25.23 and
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions 3.25.23 and below contain a vulnerability where certain VS Code workspace configuration files (.code-workspace) are not protected in the same way as the .vscode folder. If the agent was configured to auto-approve file writes, an attacker able to influence promp
nvd
CVE-2025-57771P3HIGHCVSS 8.1fixed in 3.25.52025-08-22
CVE-2025-57771 [HIGH] CWE-78 CVE-2025-57771: Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions prior to
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions prior to 3.25.5, Roo-Code fails to properly handle process substitution and single ampersand characters in the command parsing logic for auto-execute commands. If a user has enabled auto-approved execution for a command such as ls, an attacker who can submit cra
nvd
CVE-2025-58370P3HIGHCVSS 8.1fixed in 3.26.02025-09-05
CVE-2025-58370 [HIGH] CWE-78 CVE-2025-58370: Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions below 3.26.
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions below 3.26.0 contain a vulnerability in the command parsing logic where the Bash parameter expansion and indirect reference were not handled correctly. If the agent was configured to auto-approve execution of certain commands, an attacker able to influence prompts
nvd
CVE-2025-53098P3HIGHCVSS 8.1fixed in 3.20.32025-06-27
CVE-2025-53098 [HIGH] CWE-77 CVE-2025-53098: Roo Code is an AI-powered autonomous coding agent. The project-specific MCP configuration for the Ro
Roo Code is an AI-powered autonomous coding agent. The project-specific MCP configuration for the Roo Code agent is stored in the `.roo/mcp.json` file within the VS Code workspace. Because the MCP configuration format allows for execution of arbitrary commands, prior to version 3.20.3, it would have been possible for an attacker with access to craft a
nvd
CVE-2025-53536P3HIGHCVSS 8.1fixed in 3.22.62025-07-07
CVE-2025-53536 [HIGH] CWE-552 CVE-2025-53536: Roo Code is an AI-powered autonomous coding agent. Prior to 3.22.6, if the victim had "Write" auto-a
Roo Code is an AI-powered autonomous coding agent. Prior to 3.22.6, if the victim had "Write" auto-approved, an attacker with the ability to submit prompts to the agent could write to VS Code settings files and trigger code execution. There were multiple ways to achieve that. One example is with the php.validate.executablePath setting which lets you s
nvd
CVE-2025-65946P3HIGHCVSS 8.1fixed in 3.26.72025-11-21
CVE-2025-65946 [HIGH] CWE-20 CVE-2025-65946: Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Prior to version 3.2
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Prior to version 3.26.7, Due to an error in validation it was possible for Roo to automatically execute commands that did not match the allow list prefixes. This issue has been patched in version 3.26.7.
nvd
CVE-2025-54377P3HIGHCVSS 7.8fixed in 3.23.192025-07-23
CVE-2025-54377 [HIGH] CWE-77 CVE-2025-54377: Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions 3.23.18
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions 3.23.18 and below, RooCode does not validate line breaks (\n) in its command input, allowing potential bypass of the allow-list mechanism. The project appears to lack parsing or validation logic to prevent multi-line command injection. When commands are evaluated
nvd
CVE-2025-53097P3HIGHCVSS 7.5fixed in 3.20.32025-06-27
CVE-2025-53097 [HIGH] CWE-74 CVE-2025-53097: Roo Code is an AI-powered autonomous coding agent. Prior to version 3.20.3, there was an issue where
Roo Code is an AI-powered autonomous coding agent. Prior to version 3.20.3, there was an issue where the Roo Code agent's `search_files` tool did not respect the setting to disable reads outside of the VS Code workspace. This means that an attacker who was able to inject a prompt into the agent could potentially read a sensitive file and then write the
nvd
CVE-2025-58374P3HIGHCVSS 7.8fixed in 3.26.02025-09-06
CVE-2025-58374 [HIGH] CWE-78 CVE-2025-58374: Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions 3.25.23 and
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions 3.25.23 and below contain a default list of allowed commands that do not need manual approval if auto-approve is enabled, and npm install is included in that list. Because npm install executes lifecycle scripts, if a repository’s package.json file contains a malici
nvd
CVE-2025-58373P3MEDIUMCVSS 6.5fixed in 3.26.02025-09-05
CVE-2025-58373 [MEDIUM] CWE-59 CVE-2025-58373: Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions 3.25.23 and
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions 3.25.23 and below contain a vulnerability where .rooignore protections could be bypassed using symlinks. This allows an attacker with write access to the workspace to trick the extension into reading files that were intended to be excluded. As a result, sensitive
nvd