CVE-2025-65946

HighRCE

Published: 21 November 2025

Published

21 November 2025

Modified

04 December 2025

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0008 23.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-65946 is a high-severity Improper Input Validation (CWE-20) vulnerability in Roocode Roo Code. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 23.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Command and Scripting Interpreter (T1059) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mandates input validation at interfaces to prevent improper validation errors that allow execution of unauthorized commands matching CWE-20.

SI-9 Information Input Restrictions good match

prevent

Enforces restrictions on information inputs such as allow list prefixes for commands, directly countering the bypass of prefix validation in Roo Code.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and patching of flaws like the validation error fixed in Roo Code version 3.26.7.

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

T1127 Trusted Developer Utilities Proxy Execution Stealth

Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The vulnerability enables arbitrary command execution by bypassing allow list validation in the Roo Code AI coding agent, facilitating command and scripting interpreter abuse (T1059), proxy execution via trusted developer utilities (T1127), and exploitation for client execution (T1203).

NVD Description

Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Prior to version 3.26.7, Due to an error in validation it was possible for Roo to automatically execute commands that did not match the allow list prefixes.…

This issue has been patched in version 3.26.7.

Deeper analysisAI

CVE-2025-65946 is a validation error in Roo Code, an AI-powered autonomous coding agent that integrates into users' editors. In versions prior to 3.26.7, the agent could automatically execute commands that did not match the configured allow list prefixes due to improper input validation. This vulnerability, linked to CWE-20 (Improper Input Validation) and CWE-77 (Command Injection), carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-11-21.

Remote attackers can exploit the vulnerability over the network, though it requires high attack complexity and no privileges or user interaction. Exploitation allows attackers to achieve high-impact effects on confidentiality, integrity, and availability by tricking the agent into automatically executing arbitrary commands outside the intended allow list.

The vulnerability has been patched in Roo Code version 3.26.7. Mitigation involves upgrading to this version or later. Details on the fix are documented in the GitHub security advisory (GHSA-hwm7-w97p-4h8p), pull request #7667, and commit b50104cc5987ce64f5154309d967ae8c74cfd1f3.

Details

CWE(s): CWE-20 CWE-77

Affected Products

roocode

roo code

≤ 3.26.7

AI Security AnalysisAI

AI Category: Enterprise AI Assistants
Risk Domain: LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Roo Code is explicitly described as an 'AI-powered autonomous coding agent' that integrates into users' editors, fitting the Enterprise AI Assistants category as an AI assistant for coding tasks.

CVEs Like This One

CVE-2025-58370Same product: Roocode Roo Code

CVE-2026-30307Same product: Roocode Roo Code

CVE-2025-58371Same product: Roocode Roo Code

CVE-2026-21518Shared CWE-77

CVE-2025-62222Shared CWE-20, CWE-77

CVE-2026-21516Shared CWE-77

CVE-2026-21256Shared CWE-77

CVE-2026-21520Shared CWE-77

CVE-2026-21257Shared CWE-77

CVE-2026-26136Shared CWE-77

References

https://github.com/RooCodeInc/Roo-Code/commit/b50104cc5987ce64f5154309d967ae8c74cfd1f3
Patch · security-advisories@github.com
https://github.com/RooCodeInc/Roo-Code/pull/7667
Issue Tracking · security-advisories@github.com
https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-hwm7-w97p-4h8p
Vendor Advisory · security-advisories@github.com