CVE-2025-65946

High

Published: 21 November 2025

Published

21 November 2025

Modified

04 December 2025

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0008 23.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may exploit software vulnerabilities in client applications to execute code.

Security Summary

CVE-2025-65946 is a validation error in Roo Code, an AI-powered autonomous coding agent that integrates into users' editors. In versions prior to 3.26.7, the agent could automatically execute commands that did not match the configured allow list prefixes due to improper input validation. This vulnerability, linked to CWE-20 (Improper Input Validation) and CWE-77 (Command Injection), carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-11-21.

Remote attackers can exploit the vulnerability over the network, though it requires high attack complexity and no privileges or user interaction. Exploitation allows attackers to achieve high-impact effects on confidentiality, integrity, and availability by tricking the agent into automatically executing arbitrary commands outside the intended allow list.

The vulnerability has been patched in Roo Code version 3.26.7. Mitigation involves upgrading to this version or later. Details on the fix are documented in the GitHub security advisory (GHSA-hwm7-w97p-4h8p), pull request #7667, and commit b50104cc5987ce64f5154309d967ae8c74cfd1f3.

Details

CWE(s): CWE-20CWE-77

Affected Products

roocode

roo code

≤ 3.26.7

AI Security Analysis

AI Category: Enterprise AI Assistants
Risk Domain: LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025: None mapped
MITRE ATLAS Techniques: None mapped
Classification Reason: Roo Code is explicitly described as an 'AI-powered autonomous coding agent' that integrates into users' editors, fitting the Enterprise AI Assistants category as an AI assistant for coding tasks.

MITRE ATT&CK Enterprise Techniques

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

T1127 Trusted Developer Utilities Proxy Execution Stealth

Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The vulnerability enables arbitrary command execution by bypassing allow list validation in the Roo Code AI coding agent, facilitating command and scripting interpreter abuse (T1059), proxy execution via trusted developer utilities (T1127), and exploitation for client execution (T1203).

References

https://github.com/RooCodeInc/Roo-Code/commit/b50104cc5987ce64f5154309d967ae8c74cfd1f3
Patch · security-advisories@github.com
https://github.com/RooCodeInc/Roo-Code/pull/7667
Issue Tracking · security-advisories@github.com
https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-hwm7-w97p-4h8p
Vendor Advisory · security-advisories@github.com