CVE-2025-53536

Roo Code allows Potential Remote Code Execution via .vscode/settings.json

Description

Roo Code is an AI-powered autonomous coding agent. Prior to 3.22.6, if the victim had "Write" auto-approved, an attacker with the ability to submit prompts to the agent could write to VS Code settings files and trigger code execution. There were multiple ways to achieve that. One example is with the php.validate.executablePath setting which lets you set the path for the php executable for syntax validation. The attacker could have written the path to an arbitrary command there and then created a php file to trigger it. This vulnerability is fixed in 3.22.6.

Category

8.1
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.06%
Affected: RooCodeInc Roo-Code
Published at:
Updated at:

References

Link Tags
https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-3765-5vjr-qjgm
https://github.com/RooCodeInc/Roo-Code/commit/1be6fce1a6864ae63e8160b0666db2c647f2dbba
https://github.com/RooCodeInc/Roo-Code/commit/3993406ebdc0553a32ef391a799a4fb124930a1c

Frequently Asked Questions

What is the severity of CVE-2025-53536?
CVE-2025-53536 has been scored as a high severity vulnerability.
How to fix CVE-2025-53536?
To fix CVE-2025-53536, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-53536 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-53536 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-53536?
CVE-2025-53536 affects RooCodeInc Roo-Code.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.