📦 Roo Code

CVE-2025-58371 is a critical vulnerability in Roo Code versions 3.26.6 and below that allows remote code execution on GitHub Actions runners. Attackers can craft malicious pull request metadata to exe...

CVE-2025-65946 is a command injection vulnerability in Roo Code AI coding agent versions before 3.26.7. Due to improper validation, Roo could automatically execute commands not on its allow list, pote...

CVE-2025-58374 is a command injection vulnerability in Roo Code's auto-approve feature that allows arbitrary code execution when users open malicious repositories. The vulnerability affects users of R...

CVE-2025-58370 is a command injection vulnerability in Roo Code's Bash parameter expansion handling that allows attackers to execute arbitrary commands alongside legitimate ones when the agent is conf...

CVE-2025-54377 is a command injection vulnerability in Roo Code AI coding agent that allows bypassing allow-list restrictions via line break characters. Attackers can smuggle unauthorized commands by ...

This vulnerability in Roo Code allows attackers with prompt submission access to write malicious configurations to VS Code settings files, leading to arbitrary command execution. Users with 'Write' au...

CVE-2025-53098 is a vulnerability in Roo Code AI coding agent that allows arbitrary command execution through malicious MCP configuration files. Attackers with prompt injection access could write mali...

This vulnerability in Roo Code allows attackers with write access to bypass .rooignore file protections using symbolic links, potentially exposing sensitive files like .env or configuration files. Use...

In Roo Code versions before 3.20.3, the AI agent's search_files tool could read sensitive files outside the VS Code workspace when disabled reads were configured, potentially exposing data through JSO...