Roo Code OS Command Injection Vulnerability Leading to Remote Code Execution

Vulnerability

A critical OS command injection vulnerability has been identified in Roo Code's command auto-approval module, affecting versions through 3.46.1. This vulnerability undermines the application's whitelist security mechanism by allowing attackers to exploit fragile regular expressions used for command validation. The issue arises from the application's failure to properly handle standard Shell command substitution, specifically with backticks and certain characters. As a result, an attacker can inject malicious commands that are misidentified as safe, leading to remote code execution without any user interaction.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected system.

Added: Mar 30, 2026, 8:29 PM

Updated: Mar 30, 2026, 8:29 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.4

remediation

0.0

relevance

4.8

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.4

remediation

0.0

relevance

4.8

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Roo Code OS Command Injection Vulnerability Leading to Remote Code Execution

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating