CVE-2025-57771 in Roo-Code
Summary
by MITRE • 08/22/2025
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions prior to 3.25.5, Roo-Code fails to properly handle process substitution and single ampersand characters in the command parsing logic for auto-execute commands. If a user has enabled auto-approved execution for a command such as ls, an attacker who can submit crafted prompts to the agent may inject arbitrary commands to be executed alongside the intended command. Exploitation requires attacker access to submit prompts and for the user to have enabled auto-approved command execution, which is disabled by default. This vulnerability could allow an attacker to execute arbitrary code. The issue is fixed in version 3.25.5.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 08/22/2025
The vulnerability identified as CVE-2025-57771 affects Roo Code, an AI-powered autonomous coding agent designed to operate within user development environments. This agent represents a sophisticated integration of artificial intelligence with software development workflows, enabling automated code generation and execution capabilities that significantly enhance developer productivity. The system's architecture relies heavily on parsing and executing commands submitted through various interfaces, including prompt-based interactions that can trigger automated code operations within the user's development environment. The agent's functionality includes features for auto-execution of commands, which can be configured to automatically approve and run specific command sequences without explicit user confirmation, creating both convenience and potential security risks.
The core technical flaw resides in the command parsing logic implementation within Roo Code versions prior to 3.25.5, specifically concerning how the system handles process substitution and single ampersand characters. Process substitution represents a shell feature that allows commands to be executed in background processes while maintaining their output, and the single ampersand character serves as a shell operator for running commands in the background. The vulnerability emerges from inadequate input sanitization and parsing validation, where the system fails to properly distinguish between legitimate command parameters and malicious injection attempts. This parsing deficiency allows attackers to craft prompts that manipulate the command execution flow by exploiting shell metacharacters, effectively bypassing the intended command isolation mechanisms. The flaw particularly impacts scenarios where users have enabled auto-approved execution for commands such as ls, which represents a common utility for directory listing operations.
The operational impact of this vulnerability extends beyond simple command injection, potentially enabling full arbitrary code execution within the context of the user's development environment. Attackers exploiting this vulnerability can leverage the auto-approved execution feature to inject malicious commands that execute alongside legitimate operations, effectively creating a persistent backdoor or escalation path within the user's system. The attack requires two key conditions: the ability to submit crafted prompts to the agent and the presence of auto-approved execution configuration, which is notably disabled by default, making the vulnerability less likely to be exploited in environments with proper security configurations. This dual-condition requirement provides some inherent protection but does not eliminate the risk entirely, particularly in environments where security controls may be insufficient or where social engineering attacks could lead to configuration changes.
Security mitigations for this vulnerability center on upgrading to version 3.25.5 or later, which implements proper command parsing and input validation mechanisms. Organizations should conduct immediate assessment of their Roo Code installations to identify systems running vulnerable versions and ensure all instances are updated to the patched release. Additionally, security teams should review and enforce proper configuration management practices, ensuring that auto-approved execution features remain disabled unless explicitly required for specific use cases. The vulnerability demonstrates the importance of proper shell metacharacter handling in automated systems and aligns with CWE-78, which addresses improper neutralization of special elements used in OS commands, as well as ATT&CK technique T1059.001 for command and scripting interpreter. Organizations should also implement monitoring and logging of command execution activities to detect potential exploitation attempts, while maintaining strict access controls for prompt submission interfaces to prevent unauthorized users from crafting malicious inputs that could exploit this class of vulnerability.