CVE-2025-53536 in Roo-Codeinfo

Summary

by MITRE • 07/07/2025

Roo Code is an AI-powered autonomous coding agent. Prior to 3.22.6, if the victim had "Write" auto-approved, an attacker with the ability to submit prompts to the agent could write to VS Code settings files and trigger code execution. There were multiple ways to achieve that. One example is with the php.validate.executablePath setting which lets you set the path for the php executable for syntax validation. The attacker could have written the path to an arbitrary command there and then created a php file to trigger it. This vulnerability is fixed in 3.22.6.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 09/15/2025

The vulnerability identified as CVE-2025-53536 affects Roo Code, an AI-powered autonomous coding agent designed to automate software development tasks within visual studio code environments. This security flaw represents a critical privilege escalation issue that allows attackers to execute arbitrary code on systems where the agent operates with elevated permissions. The vulnerability specifically manifests when users have granted the "Write" auto-approval permission to the agent, creating a dangerous attack surface that can be exploited by malicious actors with access to the prompt submission interface.

The technical exploitation mechanism leverages the agent's ability to modify VS Code configuration files, particularly targeting the php.validate.executablePath setting which controls the path to the PHP executable used for syntax validation. This configuration setting creates a direct code execution pathway when attackers manipulate it to point to malicious commands or scripts. The vulnerability demonstrates a classic path traversal and command injection pattern where an attacker can write arbitrary content to configuration files and subsequently trigger execution through legitimate VS Code functionality. This represents a CWE-78 (Improper Neutralization of Special Elements used in OS Command) vulnerability combined with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) through unauthorized file system modifications.

The operational impact of this vulnerability extends beyond simple code execution to encompass full system compromise when attackers can leverage the autonomous coding agent's elevated privileges. Organizations using Roo Code in development environments face significant risk as attackers can potentially establish persistent backdoors, exfiltrate sensitive code repositories, or deploy malicious payloads through the legitimate agent interface. The vulnerability's exploitation requires minimal prerequisites beyond having access to the prompt submission mechanism, making it particularly dangerous in collaborative development environments where multiple developers interact with the same autonomous agent. This aligns with ATT&CK technique T1059.001 (Command and Scripting Interpreter: PowerShell) and T1068 (Exploitation for Privilege Escalation) through the use of legitimate system utilities and configuration file manipulation.

Mitigation strategies should focus on immediate patching to version 3.22.6 which addresses the core configuration file modification vulnerability. Organizations must implement strict access controls and review existing auto-approval permissions, particularly the "Write" capability, to ensure only trusted users can submit prompts that might modify system configurations. Network segmentation and monitoring of VS Code configuration file changes should be implemented to detect unauthorized modifications. The fix likely involves enhanced validation of configuration file paths and implementation of privilege separation mechanisms that prevent autonomous agents from writing to system-critical files. Additionally, organizations should conduct comprehensive security audits of their autonomous coding agent configurations and establish automated monitoring solutions to detect anomalous file modification patterns that could indicate exploitation attempts.

Responsible

GitHub M

Reservation

07/02/2025

Disclosure

07/07/2025

Moderation

accepted

CPE

ready

EPSS

0.00656

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!