CVE-2025-53536
Published: 07 July 2025
Summary
CVE-2025-53536 is a high-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability in Roocode Roo Code. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 21.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain.
Deeper analysis
Roo Code is an AI-powered autonomous coding agent affected by CVE-2025-53536 prior to version 3.22.6. The flaw stems from insufficient restrictions on file writes when the "Write" action is auto-approved, allowing modification of VS Code settings files such as those controlling executable paths for language validation. This maps to CWE-552 and carries a CVSS 3.1 score of 8.1.
An attacker able to submit prompts to the agent can exploit the issue to achieve arbitrary code execution on the victim's system. One demonstrated path involves setting php.validate.executablePath to an attacker-controlled binary and then creating a PHP file that triggers execution of that binary during syntax validation; multiple similar vectors exist through other settings files.
The issue is resolved in Roo Code 3.22.6, as detailed in the project's GitHub security advisory GHSA-3765-5vjr-qjgm and the associated commits that added safeguards against unauthorized settings writes. The EPSS score remains low and unchanged at 0.0113 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-20299
Vulnerability details
Roo Code is an AI-powered autonomous coding agent. Prior to 3.22.6, if the victim had "Write" auto-approved, an attacker with the ability to submit prompts to the agent could write to VS Code settings files and trigger code execution. There…
more
were multiple ways to achieve that. One example is with the php.validate.executablePath setting which lets you set the path for the php executable for syntax validation. The attacker could have written the path to an arbitrary command there and then created a php file to trigger it. This vulnerability is fixed in 3.22.6.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows attackers to submit prompts to Roo Code, enabling arbitrary writes to VS Code settings files (e.g., php.validate.executablePath) and creation of trigger files like PHP files, resulting in arbitrary code execution upon validation. This directly facilitates Exploitation for Client Execution (T1203).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Controls on authorized publication limit files and directories with nonpublic data from becoming accessible to external parties.
Controlling and documenting P2P file sharing prevents files and directories from being made accessible to external parties for unauthorized distribution.
Identifying and documenting file and directory locations allows restriction of access to external parties.
Protecting backup files ensures they are not accessible to external parties or unauthorized spheres.
Sanitizing equipment before off-site maintenance reduces the risk of files or directories containing sensitive data becoming accessible to external parties.
Policy restricts media access to authorized parties only, preventing exposure of resources to external or unauthorized actors.
Media access restrictions prevent files or directories from being accessible to external parties.
Employing and evaluating controls at documented alternate sites makes files and directories less likely to be accessible to external parties through physical or environmental weaknesses.