CVE-2025-65946
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-21

Last updated on: 2025-12-04

Assigner: GitHub, Inc.

Description
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Prior to version 3.26.7, Due to an error in validation it was possible for Roo to automatically execute commands that did not match the allow list prefixes. This issue has been patched in version 3.26.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-21
Last Modified
2025-12-04
Generated
2026-06-16
AI Q&A
2025-11-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-65946
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
roocode roo_code to 3.26.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Roo Code versions prior to 3.26.7 allowed the software to automatically execute commands that were not restricted by the intended allow list prefixes due to an error in validation. This means unauthorized commands could run without user permission.

Impact Analysis

The vulnerability can lead to unauthorized execution of commands, potentially resulting in high impact on confidentiality, integrity, and availability of your system or data, as indicated by the high CVSS score (8.1). This could allow attackers to perform harmful actions without user interaction.

Mitigation Strategies

Update Roo Code to version 3.26.7 or later, as this version contains the patch that fixes the validation error allowing unauthorized command execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-65946. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart