CVE-2025-65946
BaseFortify
Publication date: 2025-11-21
Last updated on: 2025-12-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| roocode | roo_code | to 3.26.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Roo Code versions prior to 3.26.7 allowed the software to automatically execute commands that were not restricted by the intended allow list prefixes due to an error in validation. This means unauthorized commands could run without user permission.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized execution of commands, potentially resulting in high impact on confidentiality, integrity, and availability of your system or data, as indicated by the high CVSS score (8.1). This could allow attackers to perform harmful actions without user interaction.
What immediate steps should I take to mitigate this vulnerability?
Update Roo Code to version 3.26.7 or later, as this version contains the patch that fixes the validation error allowing unauthorized command execution.