Primary

Context

Roo Code Workspace Configuration Vulnerability Leading to Arbitrary Code Execution

Vulnerability

A vulnerability in Roo Code versions through 3.25.23 allows certain Visual Studio Code workspace configuration files (.code-workspace) to be improperly protected compared to the .vscode folder. If the agent's auto-approve file writes feature is enabled, an attacker could exploit this by injecting prompts to manipulate workspace settings or tasks. These malicious tasks could be executed automatically when the workspace is reopened, potentially leading to arbitrary code execution.

Impact

Exploitation of this vulnerability allows for arbitrary code execution in the user's environment.

Remediation

The vulnerability has been addressed in version 3.26.0, which adds .code-workspace files to the list of protected files. Users should update to this version.

Added: Sep 5, 2025, 11:18 PM

Updated: Sep 5, 2025, 11:18 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.3

remediation

0.0

relevance

0.5

threat

3.2

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.3

remediation

0.0

relevance

0.5

threat

3.2

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Roo Code Workspace Configuration Vulnerability Leading to Arbitrary Code Execution

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating