Primary

Context

Roo Code Remote Code Execution Vulnerability via Zsh Command Validation

Vulnerability

A remote code execution vulnerability has been identified in Roo Code versions prior to 3.26.7. This issue arises from a validation error that allowed Roo to automatically execute commands not adhering to the specified allow list prefixes. The vulnerability exploits Zsh command features, particularly glob qualifiers, to execute arbitrary commands.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the user's system.

Reproduction

The vulnerability can be reproduced by using Zsh glob qualifiers that include command execution, such as '(e:whoami:)', in a command that Roo is allowed to execute. Roo will automatically execute the injected command, bypassing the validation that is supposed to prevent such actions.

Remediation

Users can upgrade to Roo Code version 3.26.7 or later to address this vulnerability.

Added: Nov 21, 2025, 11:18 PM

Updated: Nov 21, 2025, 11:18 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.7

remediation

7.7

relevance

1.1

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.7

remediation

7.7

relevance

1.1

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Roo Code Remote Code Execution Vulnerability via Zsh Command Validation

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating