Cyber Posture

CVE-2026-30307

Critical

Published: 30 March 2026

Published
30 March 2026
Modified
06 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0066 71.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Roo Code's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on fragile regular expressions to parse command structures; while it attempts to intercept dangerous operations, it fails…

more

to account for standard Shell command substitution Roo Code (specifically$(...)and backticks ...). An attacker can construct a command such as git log --grep="$(malicious_command)", forcing Syntx to misidentify it as a safe git operation and automatically approve it. The underlying Shell prioritizes the execution of the malicious code injected within the arguments, resulting in Remote Code Execution without any user interaction.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Mandates comprehensive validation of command inputs to block shell substitutions like $(...) and backticks that bypass the fragile regex whitelist.

SI-9 Information Input Restrictions partial match
prevent

Enforces strict restrictions on command inputs to ensure only safe structures are processed, strengthening the ineffective whitelist mechanism.

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and correction of the specific flaw in the command auto-approval module to eliminate the injection vulnerability.

Security SummaryAI

CVE-2026-30307 is a critical OS command injection vulnerability (CWE-94) in Roo Code's command auto-approval module, published on 2026-03-30. The flaw renders the system's whitelist security mechanism completely ineffective due to fragile regular expressions used to parse command structures. These regex patterns fail to account for standard Shell command substitutions, such as $(...) and backticks, allowing dangerous operations to bypass interception while being misclassified as safe.

Any remote attacker can exploit this vulnerability without authentication or user interaction by crafting a command like git log --grep="$(malicious_command)". The auto-approval module identifies it as a benign git operation and approves execution, but the underlying Shell prioritizes and runs the injected malicious code within the arguments. This results in full remote code execution (RCE), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), enabling high-impact compromise of confidentiality, integrity, and availability.

Advisories and further details are available in the referenced sources, including the LLM-Tool-Calling-CVEs GitHub issue at https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/7 and Roo Code's site at https://roocode.com/.

Details

CWE(s)
CWE-94

Affected Products

roocode
roo code
≤ 3.46.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

CVE enables unauthenticated remote command injection leading to RCE via shell substitutions bypassing whitelist; directly maps to exploitation of public-facing application (T1190) and Unix Shell execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References