Login Sign Up

CVE-2025-53097

5.9 MEDIUM

📋 TL;DR

In Roo Code versions before 3.20.3, the AI agent's search_files tool could read sensitive files outside the VS Code workspace when disabled reads were configured, potentially exposing data through JSON schema network requests. This affects users with default schema fetching enabled who allow untrusted prompt input to the agent. The vulnerability requires an attacker to already have prompt injection capability.

💻 Affected Systems

Products:
  • Roo Code
Versions: All versions before 3.20.3
Operating Systems: All platforms where Roo Code runs
Default Config Vulnerable: ⚠️ Yes
Notes: Requires VS Code schema fetching feature enabled (default) and attacker-controlled prompt injection into the Roo Code agent.

📦 What is this software?

Roo Code by Roocode

View all CVEs affecting Roo Code →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive system files (passwords, keys, configs) are read and exfiltrated via network requests without user consent, leading to credential theft or system compromise.

🟠

Likely Case

Limited file exposure within user directories if attacker gains prompt injection access, with potential data leakage but no direct system takeover.

🟢

If Mitigated

No file access outside workspace boundaries; prompt injection only affects workspace files with user awareness of network requests.

🌐 Internet-Facing: LOW
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires prompt injection capability first; the file read and network exfiltration are secondary effects.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.20.3

Vendor Advisory: https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-wr2q-46pg-f228

Restart Required: Yes

Instructions:

1. Update Roo Code extension in VS Code to version 3.20.3 or later. 2. Restart VS Code to apply changes. 3. Verify the update in extension settings.

🔧 Temporary Workarounds

Disable schema fetching

all

Prevent automatic network requests by disabling JSON schema fetching in VS Code settings.

Set 'json.schemaDownload.enable' to false in VS Code settings.json

Restrict prompt input

all

Limit Roo Code agent to trusted prompt sources only.

🧯 If You Can't Patch

  • Disable Roo Code agent entirely until patched
  • Use network monitoring to detect unexpected schema fetch requests

🔍 How to Verify

Check if Vulnerable:

Check Roo Code extension version in VS Code; versions below 3.20.3 are vulnerable.

Check Version:

In VS Code, check Extensions view for Roo Code version or run 'code --list-extensions --show-versions'

Verify Fix Applied:

Confirm version is 3.20.3 or higher and test that search_files respects workspace boundaries.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected file access patterns outside workspace in Roo Code logs
  • Schema fetch network requests to unfamiliar domains

Network Indicators:

  • Outbound HTTP requests to JSON schema URLs not initiated by user

SIEM Query:

source='roo_code' AND (event='file_read' AND path NOT LIKE '/workspace/%') OR (event='network_request' AND url LIKE '%.schema.json')

📊 Metadata

CVE ID: CVE-2025-53097
CVSS v3 Score: 5.9 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-74
EPSS Score: 0.05% exploit probability (16.1th percentile)
Published: June 27, 2025
Last Updated: September 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-53097, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)