Roo Code VS Code Extension Remote Code Execution Vulnerability
Vulnerability
A remote code execution vulnerability exists in the Roo Code VS Code extension, prior to version 3.22.6. If a user had 'Write' auto-approved, an attacker could manipulate VS Code settings files to execute arbitrary code. One exploitation method involved the 'php.validate.executablePath' setting, where an attacker could insert a command path that, when triggered by a crafted PHP file, would execute the command. This vulnerability required the attacker to already submit prompts to the agent, but took advantage of a high-severity flaw by executing unauthorized code.
Impact
Exploitation allows for remote code execution on the victim's machine.
Remediation
Users can update to Roo Code version 3.22.6 or later. For those using version 3.22.6 or later, no action is needed as the vulnerability is already addressed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.