CVE-2025-53097
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-27

Last updated on: 2025-09-15

Assigner: GitHub, Inc.

Description
Roo Code is an AI-powered autonomous coding agent. Prior to version 3.20.3, there was an issue where the Roo Code agent's `search_files` tool did not respect the setting to disable reads outside of the VS Code workspace. This means that an attacker who was able to inject a prompt into the agent could potentially read a sensitive file and then write the information to a JSON schema. Users have the option to disable schema fetching in VS Code, but the feature is enabled by default. For users with this feature enabled, writing to the schema would trigger a network request without the user having a chance to deny. This issue is of moderate severity, since it requires the attacker to already be able to submit prompts to the agent. Version 3.20.3 fixed the issue where `search_files` did not respect the setting to limit it to the workspace. This reduces the scope of the damage if an attacker is able to take control of the agent through prompt injection or another vector.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-27
Last Modified
2025-09-15
Generated
2026-05-07
AI Q&A
2025-06-28
EPSS Evaluated
2026-05-05
NVD
CVE-2025-53097
EUVD
EUVD-2025-19434
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
roocode roo_code to 3.20.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Roo Code versions prior to 3.20.3 involves the `search_files` tool not respecting the setting that disables reading files outside the VS Code workspace. An attacker who can inject prompts into the agent could exploit this to read sensitive files outside the workspace and write that information to a JSON schema. Since schema fetching is enabled by default, this writing action could trigger a network request without user consent, potentially leaking sensitive data. The issue was fixed in version 3.20.3 by enforcing the workspace restriction.


How can this vulnerability impact me? :

If exploited, this vulnerability could allow an attacker to read sensitive files outside the intended workspace and exfiltrate that information via network requests triggered by writing to a JSON schema. This could lead to unauthorized disclosure of sensitive data. However, exploitation requires the attacker to already be able to submit prompts to the Roo Code agent, and users can mitigate risk by disabling schema fetching or updating to version 3.20.3 or later.


What immediate steps should I take to mitigate this vulnerability?

Upgrade Roo Code to version 3.20.3 or later, as this version fixes the issue where the `search_files` tool did not respect the setting to limit file reads to the VS Code workspace. Additionally, consider disabling schema fetching in VS Code to prevent automatic network requests triggered by writing to the JSON schema.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart