Cyber Resilience

CVE-2025-53097

Medium

Published: 27 June 2025

Published
27 June 2025
Modified
15 September 2025
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0032 55.6th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53097 is a medium-severity Injection (CWE-74) vulnerability in Roocode Roo Code. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 44.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain; MITRE ATLAS techniques in scope: Direct (AML.T0051.000).

EU & UK References

Vulnerability details

Roo Code is an AI-powered autonomous coding agent. Prior to version 3.20.3, there was an issue where the Roo Code agent's `search_files` tool did not respect the setting to disable reads outside of the VS Code workspace. This means that…

more

an attacker who was able to inject a prompt into the agent could potentially read a sensitive file and then write the information to a JSON schema. Users have the option to disable schema fetching in VS Code, but the feature is enabled by default. For users with this feature enabled, writing to the schema would trigger a network request without the user having a chance to deny. This issue is of moderate severity, since it requires the attacker to already be able to submit prompts to the agent. Version 3.20.3 fixed the issue where `search_files` did not respect the setting to limit it to the workspace. This reduces the scope of the damage if an attacker is able to take control of the agent through prompt injection or another vector.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
LLM01:2025 Prompt Injection
Classification Reason
Matched keywords: ai, prompt injection

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
T1041 Exfiltration Over C2 Channel Exfiltration
Adversaries may steal data by exfiltrating it over an existing command and control channel.
Why these techniques?

The vulnerability in the search_files tool enables reading sensitive files outside the VS Code workspace (T1005 Data from Local System, T1083 File and Directory Discovery). Writing stolen data to a JSON schema triggers an unauthorized network request, facilitating exfiltration over the agent's communication channel (T1041).

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0051.000: Direct

Affected Assets

roocode
roo code
≤ 3.20.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References