RooCodeInc Roo-Code up to 3.20.2 Configuration File roo/mcp.json command injection

Summaryinfo

A vulnerability classified as critical has been found in RooCodeInc Roo-Code up to 3.20.2. The impacted element is an unknown function of the file roo/mcp.json of the component Configuration File Handler. This manipulation causes command injection. The identification of this vulnerability is CVE-2025-53098. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability classified as problematic was found in RooCodeInc Roo-Code up to 3.20.2. Affected by this vulnerability is some unknown processing of the file roo/mcp.json of the component Configuration File Handler. The manipulation with an unknown input leads to a command injection vulnerability. The CWE definition for the vulnerability is CWE-77. The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. As an impact it is known to affect confidentiality. The summary by CVE is:

Roo Code is an AI-powered autonomous coding agent. The project-specific MCP configuration for the Roo Code agent is stored in the `.roo/mcp.json` file within the VS Code workspace. Because the MCP configuration format allows for execution of arbitrary commands, prior to version 3.20.3, it would have been possible for an attacker with access to craft a prompt to ask the agent to write a malicious command to the MCP configuration file. If the user had opted-in to auto-approving file writes within the project, this would have led to arbitrary command execution. This issue is of moderate severity, since it requires the attacker to already be able to submit prompts to the agent (for instance through a prompt injection attack), for the user to have MCP enabled (on by default), and for the user to have enabled auto-approved file writes (off by default). Version 3.20.3 fixes the issue by adding an additional layer of opt-in configuration for auto-approving writing to Roo's configuration files, including all files within the `.roo/` folder.

It is possible to read the advisory at github.com. This vulnerability is known as CVE-2025-53098 since 06/25/2025. The exploitation appears to be difficult. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1202 according to MITRE ATT&CK.

By approaching the search of inurl:roo/mcp.json it is possible to find vulnerable targets with Google Hacking.

Upgrading to version 3.20.3 eliminates this vulnerability. Applying the patch 7d0b22f9e659dc6c26aab0bacbea27874986e772 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2025-19433). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Vendor

• RooCodeInc

Name

• Roo-Code

Version

• 3.20.0
• 3.20.1
• 3.20.2

License

• open-source

Website

• Product: https://github.com/RooCodeInc/Roo-Code/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion