cve-2025-53097
Vulnerability from cvelistv5
Published
2025-06-27 21:43
Modified
2025-06-30 16:22
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Roo Code extension vulnerable to Potential Information Leakage via JSON Schema
References
security-advisories@github.comhttps://github.com/RooCodeInc/Roo-Code/commit/10b2fb32ed047bbd7b8d10ef185c1ed345efcc92
security-advisories@github.comhttps://github.com/RooCodeInc/Roo-Code/commit/7d0b22f9e659dc6c26aab0bacbea27874986e772
security-advisories@github.comhttps://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-wr2q-46pg-f228
Impacted products
RooCodeIncRoo-Code
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-53097",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-30T16:22:34.112486Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-30T16:22:40.734Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Roo-Code",
          "vendor": "RooCodeInc",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.20.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Roo Code is an AI-powered autonomous coding agent. Prior to version 3.20.3, there was an issue where the Roo Code agent\u0027s `search_files` tool did not respect the setting to disable reads outside of the VS Code workspace. This means that an attacker who was able to inject a prompt into the agent could potentially read a sensitive file and then write the information to a JSON schema. Users have the option to disable schema fetching in VS Code, but the feature is enabled by default. For users with this feature enabled, writing to the schema would trigger a network request without the user having a chance to deny. This issue is of moderate severity, since it requires the attacker to already be able to submit prompts to the agent. Version 3.20.3 fixed the issue where `search_files` did not respect the setting to limit it to the workspace. This reduces the scope of the damage if an attacker is able to take control of the agent through prompt injection or another vector."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-27T21:43:31.678Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-wr2q-46pg-f228",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-wr2q-46pg-f228"
        },
        {
          "name": "https://github.com/RooCodeInc/Roo-Code/commit/10b2fb32ed047bbd7b8d10ef185c1ed345efcc92",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/RooCodeInc/Roo-Code/commit/10b2fb32ed047bbd7b8d10ef185c1ed345efcc92"
        },
        {
          "name": "https://github.com/RooCodeInc/Roo-Code/commit/7d0b22f9e659dc6c26aab0bacbea27874986e772",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/RooCodeInc/Roo-Code/commit/7d0b22f9e659dc6c26aab0bacbea27874986e772"
        }
      ],
      "source": {
        "advisory": "GHSA-wr2q-46pg-f228",
        "discovery": "UNKNOWN"
      },
      "title": "Roo Code extension vulnerable to Potential Information Leakage via JSON Schema"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-53097",
    "datePublished": "2025-06-27T21:43:31.678Z",
    "dateReserved": "2025-06-25T13:41:23.086Z",
    "dateUpdated": "2025-06-30T16:22:40.734Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-53097\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-06-27T22:15:25.803\",\"lastModified\":\"2025-06-30T18:38:23.493\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Roo Code is an AI-powered autonomous coding agent. Prior to version 3.20.3, there was an issue where the Roo Code agent\u0027s `search_files` tool did not respect the setting to disable reads outside of the VS Code workspace. This means that an attacker who was able to inject a prompt into the agent could potentially read a sensitive file and then write the information to a JSON schema. Users have the option to disable schema fetching in VS Code, but the feature is enabled by default. For users with this feature enabled, writing to the schema would trigger a network request without the user having a chance to deny. This issue is of moderate severity, since it requires the attacker to already be able to submit prompts to the agent. Version 3.20.3 fixed the issue where `search_files` did not respect the setting to limit it to the workspace. This reduces the scope of the damage if an attacker is able to take control of the agent through prompt injection or another vector.\"},{\"lang\":\"es\",\"value\":\"Roo Code es un agente de codificaci\u00f3n aut\u00f3nomo basado en IA. Antes de la versi\u00f3n 3.20.3, exist\u00eda un problema por el cual la herramienta `search_files` del agente Roo Code no respetaba la configuraci\u00f3n para deshabilitar las lecturas fuera del espacio de trabajo de VS Code. Esto significa que un atacante que pudiera inyectar un mensaje en el agente podr\u00eda leer un archivo confidencial y luego escribir la informaci\u00f3n en un esquema JSON. Los usuarios tienen la opci\u00f3n de deshabilitar la obtenci\u00f3n del esquema en VS Code, pero la funci\u00f3n est\u00e1 habilitada por defecto. Para los usuarios con esta funci\u00f3n habilitada, escribir en el esquema activar\u00eda una solicitud de red sin que el usuario pudiera denegarla. Este problema es de gravedad moderada, ya que requiere que el atacante ya pueda enviar mensajes al agente. La versi\u00f3n 3.20.3 solucion\u00f3 el problema por el cual `search_files` no respetaba la configuraci\u00f3n para limitarlo al espacio de trabajo. Esto reduce el alcance del da\u00f1o si un atacante logra tomar el control del agente mediante la inyecci\u00f3n de mensajes u otro vector.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-74\"}]}],\"references\":[{\"url\":\"https://github.com/RooCodeInc/Roo-Code/commit/10b2fb32ed047bbd7b8d10ef185c1ed345efcc92\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/RooCodeInc/Roo-Code/commit/7d0b22f9e659dc6c26aab0bacbea27874986e772\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-wr2q-46pg-f228\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.