CVE-2025-58373
BaseFortify
Publication date: 2025-09-05
Last updated on: 2025-09-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| roocode | roo_code | to 3.26.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Roo Code versions 3.25.23 and below allows an attacker with write access to the workspace to bypass .rooignore protections by using symlinks. This tricks the extension into reading files that were meant to be excluded, potentially exposing sensitive files such as .env or configuration files.
How can this vulnerability impact me? :
If an attacker can modify files in your workspace, they could exploit this vulnerability to access sensitive information that was intended to be hidden, such as secrets and configuration details. This unauthorized access could lead to information disclosure and compromise of sensitive project data.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Roo Code to version 3.26.0 or later, as this version contains the fix for the .rooignore symlink bypass vulnerability. Additionally, restrict write access to the workspace to trusted users only to prevent attackers from modifying files and exploiting the vulnerability.