Roo Code is Vulnerable to Potential Remote Code Execution via...

8.1 / 10

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Prior to version 3.26.7, Due to an error in validation it was possible for Roo to automatically execute commands that did not match the allow list prefixes. This issue has been patched in version 3.26.7.

Basic Information

ID CVE-2025-65946

Source GitHub_M

Published Nov 21, 2025 at 22:11

Affected Product

Vendor RooCodeInc

Product Roo-Code

Version < 3.26.7

Affected Versions RooCodeInc Roo-Code < 3.26.7

CWE Classification

CWE-77 CWE-20

References

{
    "lastseen": "",
    "description": "Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Prior to version 3.26.7, Due to an error in validation it was possible for Roo to automatically execute commands that did not match the allow list prefixes. This issue has been patched in version 3.26.7.",
    "published": "2025-11-21T22:11:12.163Z",
    "modified": "2025-11-21T22:11:12.163Z",
    "type": "cve",
    "title": "Roo Code is Vulnerable to Potential Remote Code Execution via zsh Command Validation Bug",
    "source": "GitHub_M",
    "references": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-hwm7-w97p-4h8p\nhttps://github.com/RooCodeInc/Roo-Code/pull/7667\nhttps://github.com/RooCodeInc/Roo-Code/commit/b50104cc5987ce64f5154309d967ae8c74cfd1f3",
    "id": "CVE-2025-65946",
    "bulletinFamily": "",
    "cwe": [
        "CWE-77",
        "CWE-20"
    ],
    "cvelist": null,
    "sourceData": "RooCodeInc Roo-Code < 3.26.7",
    "sourceHref": "",
    "cvss": {
        "score": 8.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Roo-Code",
    "version": "< 3.26.7",
    "vendor": "RooCodeInc",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Roo Code is Vulnerable to Potential Remote Code Execution via zsh Command Validation Bug_CVE-2025-65946