CVE-2025-57771

HighRCE

Published: 22 August 2025

Published

22 August 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0021 43.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-57771 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 43.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of crafted prompts in the command parsing logic to block injection via process substitution and single ampersand characters.

SI-2 Flaw Remediation good match

prevent

Directly remediates the command injection flaw by applying patches to version 3.25.5 or later with improved parsing logic.

CM-7 Least Functionality good match

prevent

Enforces least functionality by disabling non-essential auto-approved execution, which is required for exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The vulnerability allows command injection via crafted prompts using process substitution and ampersand characters when auto-execute is enabled, facilitating exploitation of the client application (T1203) for arbitrary Unix shell command execution (T1059.004).

NVD Description

Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions prior to 3.25.5, Roo-Code fails to properly handle process substitution and single ampersand characters in the command parsing logic for auto-execute commands. If a user…

has enabled auto-approved execution for a command such as ls, an attacker who can submit crafted prompts to the agent may inject arbitrary commands to be executed alongside the intended command. Exploitation requires attacker access to submit prompts and for the user to have enabled auto-approved command execution, which is disabled by default. This vulnerability could allow an attacker to execute arbitrary code. The issue is fixed in version 3.25.5.

Deeper analysisAI

CVE-2025-57771 is an OS command injection vulnerability (CWE-78) in Roo Code, an AI-powered autonomous coding agent that integrates into users' editors. Affecting versions prior to 3.25.5, the flaw arises from improper handling of process substitution and single ampersand characters in the command parsing logic for auto-execute commands. This allows crafted inputs to inject arbitrary commands when auto-approved execution is enabled for specific commands, such as ls. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-08-22.

An attacker with the ability to submit prompts to the Roo Code agent can exploit this vulnerability by crafting inputs that leverage the parsing flaw to execute arbitrary commands alongside the intended one. Exploitation requires the user to have explicitly enabled auto-approved command execution, which is disabled by default, and does not necessitate privileges beyond prompt submission access. Successful exploitation enables arbitrary code execution on the user's system, potentially leading to high confidentiality, integrity, and availability impacts.

The Roo Code security advisory (GHSA-wrh9-463x-7wvv) and associated commit (de359a465c67aefc67553aa2b464591b602c4bdc) confirm the issue is fixed in version 3.25.5 through improvements to command parsing logic. Users should update to 3.25.5 or later and ensure auto-approved execution remains disabled unless necessary.

This vulnerability highlights security risks in AI-powered coding agents, where prompt injection can lead to command execution in development environments, underscoring the need for robust input sanitization in AI/ML-assisted tools. No real-world exploitation has been reported.

Details

CWE(s): CWE-78

Affected Products

—

inferred from references and description; NVD did not file a CPE for this CVE

AI Security AnalysisAI

AI Category: Enterprise AI Assistants
Risk Domain: LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Roo Code is described as an AI-powered autonomous coding agent integrated into users' editors, functioning as an AI assistant for code generation and execution, aligning with Enterprise AI Assistants category.

CVEs Like This One

CVE-2025-58370Shared CWE-78

CVE-2026-27487Shared CWE-78

CVE-2026-41015Shared CWE-78

CVE-2026-24844Shared CWE-78

CVE-2026-40032Shared CWE-78

CVE-2026-35022Shared CWE-78

CVE-2026-35043Shared CWE-78

CVE-2026-25157Shared CWE-78

CVE-2025-1244Shared CWE-78

CVE-2026-35020Shared CWE-78

References

https://github.com/RooCodeInc/Roo-Code/commit/de359a465c67aefc67553aa2b464591b602c4bdc
security-advisories@github.com
https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-wrh9-463x-7wvv
security-advisories@github.com