Cyber Resilience

CVE-2025-53536

High

Published: 07 July 2025

Published
07 July 2025
Modified
15 September 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0113 78.7th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53536 is a high-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability in Roocode Roo Code. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 21.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain.

Deeper analysis

Roo Code is an AI-powered autonomous coding agent affected by CVE-2025-53536 prior to version 3.22.6. The flaw stems from insufficient restrictions on file writes when the "Write" action is auto-approved, allowing modification of VS Code settings files such as those controlling executable paths for language validation. This maps to CWE-552 and carries a CVSS 3.1 score of 8.1.

An attacker able to submit prompts to the agent can exploit the issue to achieve arbitrary code execution on the victim's system. One demonstrated path involves setting php.validate.executablePath to an attacker-controlled binary and then creating a PHP file that triggers execution of that binary during syntax validation; multiple similar vectors exist through other settings files.

The issue is resolved in Roo Code 3.22.6, as detailed in the project's GitHub security advisory GHSA-3765-5vjr-qjgm and the associated commits that added safeguards against unauthorized settings writes. The EPSS score remains low and unchanged at 0.0113 with no observed rise after disclosure.

EU & UK References

Vulnerability details

Roo Code is an AI-powered autonomous coding agent. Prior to 3.22.6, if the victim had "Write" auto-approved, an attacker with the ability to submit prompts to the agent could write to VS Code settings files and trigger code execution. There…

more

were multiple ways to achieve that. One example is with the php.validate.executablePath setting which lets you set the path for the php executable for syntax validation. The attacker could have written the path to an arbitrary command there and then created a php file to trigger it. This vulnerability is fixed in 3.22.6.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
LLM01:2025 Prompt Injection
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The vulnerability allows attackers to submit prompts to Roo Code, enabling arbitrary writes to VS Code settings files (e.g., php.validate.executablePath) and creation of trigger files like PHP files, resulting in arbitrary code execution upon validation. This directly facilitates Exploitation for Client Execution (T1203).

Affected Assets

roocode
roo code
≤ 3.22.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-552

Controls on authorized publication limit files and directories with nonpublic data from becoming accessible to external parties.

addresses: CWE-552

Controlling and documenting P2P file sharing prevents files and directories from being made accessible to external parties for unauthorized distribution.

addresses: CWE-552

Identifying and documenting file and directory locations allows restriction of access to external parties.

addresses: CWE-552

Protecting backup files ensures they are not accessible to external parties or unauthorized spheres.

addresses: CWE-552

Sanitizing equipment before off-site maintenance reduces the risk of files or directories containing sensitive data becoming accessible to external parties.

addresses: CWE-552

Policy restricts media access to authorized parties only, preventing exposure of resources to external or unauthorized actors.

addresses: CWE-552

Media access restrictions prevent files or directories from being accessible to external parties.

addresses: CWE-552

Employing and evaluating controls at documented alternate sites makes files and directories less likely to be accessible to external parties through physical or environmental weaknesses.

References