Roo Code Model Context Protocol Vulnerability Leading to Remote Code Execution

A vulnerability in the Roo Code AI-powered coding agent allows for remote code execution through the Model Context Protocol (MCP) configuration. The issue arises because the MCP format can execute arbitrary commands, and prior to version 3.20.3, an attacker could craft a prompt to inject malicious commands into the MCP configuration file, located in the user's VS Code workspace. This exploitation required the user to have MCP enabled (which is the default setting) and to have opted for automatic approval of file writes, a feature that is turned off by default. The vulnerability is considered moderate in severity, as it necessitates an initial prompt injection attack to exploit.

Impact

Successful exploitation could lead to arbitrary command execution on the user's system.

Reproduction

To reproduce this vulnerability, first ensure that Roo Code is installed and that MCP is enabled. Then, inject a prompt that requests the Roo Code agent to write a command into the `.roo/mcp.json` file. If the user has enabled auto-approval for file writes, the injected command will be executed, leading to arbitrary code execution.

Remediation

Users can update to Roo Code version 3.20.3 or later, which addresses this vulnerability by introducing an opt-in configuration for automatic approval of writes to Roo's configuration files, including those in the `.roo/` directory.