CVE-2025-53098
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-27

Last updated on: 2025-09-15

Assigner: GitHub, Inc.

Description
Roo Code is an AI-powered autonomous coding agent. The project-specific MCP configuration for the Roo Code agent is stored in the `.roo/mcp.json` file within the VS Code workspace. Because the MCP configuration format allows for execution of arbitrary commands, prior to version 3.20.3, it would have been possible for an attacker with access to craft a prompt to ask the agent to write a malicious command to the MCP configuration file. If the user had opted-in to auto-approving file writes within the project, this would have led to arbitrary command execution. This issue is of moderate severity, since it requires the attacker to already be able to submit prompts to the agent (for instance through a prompt injection attack), for the user to have MCP enabled (on by default), and for the user to have enabled auto-approved file writes (off by default). Version 3.20.3 fixes the issue by adding an additional layer of opt-in configuration for auto-approving writing to Roo's configuration files, including all files within the `.roo/` folder.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-27
Last Modified
2025-09-15
Generated
2026-05-06
AI Q&A
2025-06-28
EPSS Evaluated
2026-05-05
NVD
CVE-2025-53098
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
roocode roo_code to 3.20.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects Roo Code, an AI-powered autonomous coding agent. Before version 3.20.3, the agent's MCP configuration file (.roo/mcp.json) could be manipulated by an attacker who could craft a prompt to make the agent write malicious commands into this configuration file. If the user had enabled auto-approving file writes (which is off by default), this could lead to arbitrary command execution. The vulnerability requires the attacker to already have the ability to submit prompts to the agent and for the user to have MCP enabled and auto-approve file writes. Version 3.20.3 fixes this by adding an extra opt-in layer for auto-approving writes to configuration files.


How can this vulnerability impact me? :

If exploited, this vulnerability could allow an attacker to execute arbitrary commands on your system via the Roo Code agent. This could lead to unauthorized actions or compromise of your environment, but exploitation requires the attacker to submit prompts to the agent, MCP to be enabled, and auto-approval of file writes to be turned on by the user.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update Roo Code to version 3.20.3 or later, which adds an additional opt-in configuration layer for auto-approving writes to configuration files. Additionally, ensure that auto-approved file writes are disabled (off by default) unless explicitly needed, and avoid enabling MCP auto-approval without careful consideration.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart