Login Sign Up

CVE-2025-53098

8.1 HIGH
Remote Code Execution

📋 TL;DR

CVE-2025-53098 is a vulnerability in Roo Code AI coding agent that allows arbitrary command execution through malicious MCP configuration files. Attackers with prompt injection access could write malicious commands to the .roo/mcp.json file, which would execute if users had auto-approve file writes enabled. This affects Roo Code users with MCP enabled and auto-approve file writes enabled.

💻 Affected Systems

Products:
  • Roo Code
Versions: Versions prior to 3.20.3
Operating Systems: All platforms where Roo Code runs
Default Config Vulnerable: ✅ No
Notes: Requires MCP enabled (default on) AND auto-approve file writes enabled (default off) to be exploitable.

📦 What is this software?

Roo Code by Roocode

View all CVEs affecting Roo Code →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control of the user's development environment and potentially the underlying system through arbitrary command execution.

🟠

Likely Case

Limited impact since it requires multiple conditions: attacker prompt access, MCP enabled, and auto-approve file writes enabled (off by default). Most likely scenario is no exploitation.

🟢

If Mitigated

No impact if auto-approve file writes is disabled or if the additional opt-in configuration for .roo/ folder writes is not enabled.

🌐 Internet-Facing: LOW
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires attacker to first gain prompt injection access to the AI agent, then craft malicious configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.20.3

Vendor Advisory: https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-5x8h-m52g-5v54

Restart Required: Yes

Instructions:

1. Update Roo Code extension in VS Code to version 3.20.3 or later. 2. Restart VS Code. 3. Verify the update by checking the extension version.

🔧 Temporary Workarounds

Disable auto-approve file writes

all

Turn off the auto-approve file writes feature in Roo Code settings

Disable MCP feature

all

Turn off the MCP (Model Context Protocol) feature in Roo Code settings

🧯 If You Can't Patch

  • Disable auto-approve file writes feature in Roo Code settings
  • Disable MCP feature entirely in Roo Code settings
  • Restrict access to Roo Code agent to trusted users only

🔍 How to Verify

Check if Vulnerable:

Check Roo Code extension version in VS Code Extensions view. If version is below 3.20.3, you are vulnerable if MCP is enabled and auto-approve file writes is enabled.

Check Version:

Check VS Code Extensions view or run: code --list-extensions --show-versions | grep roo-code

Verify Fix Applied:

Verify Roo Code extension version is 3.20.3 or higher in VS Code Extensions view.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file writes to .roo/mcp.json
  • Suspicious commands in MCP configuration
  • Unexpected process execution from Roo Code

Network Indicators:

  • Unusual outbound connections from VS Code/Roo Code process

SIEM Query:

Process creation events from VS Code or Roo Code with suspicious command-line arguments

📊 Metadata

CVE ID: CVE-2025-53098
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
EPSS Score: 0.06% exploit probability (19.6th percentile)
Published: June 27, 2025
Last Updated: September 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-53098, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)