CVE-2025-54377
BaseFortify
Publication date: 2025-07-23
Last updated on: 2025-09-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| roocode | roo_code | to 3.23.19 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in RooCode versions 3.23.18 and below is caused by the lack of validation for line breaks (\n) in command inputs. RooCode only checks the first line or token of a command against an allow-list, allowing attackers to inject additional commands on subsequent lines that bypass this allow-list. This means an attacker can execute unauthorized commands by smuggling them in multi-line inputs, leading to command injection. [1]
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized command execution with high impact on confidentiality, integrity, and availability. An attacker with local access and low privileges can exploit this flaw without user interaction to run unintended commands, potentially compromising the system or data. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for command inputs that contain newline characters (\n) used to inject additional commands beyond the allow-listed ones. Specifically, look for commands where only the first line is allow-listed but subsequent lines execute unauthorized commands. You can inspect logs or command inputs for suspicious multi-line commands. For example, searching for commands containing '\n' or multiple commands chained in a single input. A practical approach is to grep for newline characters or suspicious command patterns in RooCode's command input logs. Example commands to detect this might include: `grep -P '\n' /path/to/roocode/command/logs` or monitoring command execution logs for unexpected commands following an allow-listed command. Additionally, auditing RooCode versions below 3.23.19 can help identify vulnerable instances. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade RooCode to version 3.23.19 or later, where the vulnerability is fixed by properly parsing and validating line breaks in command inputs. This update ensures that multi-line command injection is prevented by splitting commands on newlines and validating each line against the allow list. Until the upgrade can be applied, restrict local access to RooCode to trusted users only, as the vulnerability requires local access with low privileges. Additionally, consider monitoring and blocking command inputs containing newline characters to reduce risk. [1, 2]