Skip to main content

CVE-2026-30307

| EUVDEUVD-2026-17188 CRITICAL
Code Injection (CWE-94)
2026-03-30 mitre GHSA-3hqq-48gq-cwg4
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 30, 2026 - 19:30 euvd
EUVD-2026-17188
Analysis Generated
Mar 30, 2026 - 19:30 vuln.today
CVE Published
Mar 30, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

Roo Code's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on fragile regular expressions to parse command structures; while it attempts to intercept dangerous operations, it fails to account for standard Shell command substitution Roo Code (specifically$(...)and backticks ...). An attacker can construct a command such as git log --grep="$(malicious_command)", forcing Syntx to misidentify it as a safe git operation and automatically approve it. The underlying Shell prioritizes the execution of the malicious code injected within the arguments, resulting in Remote Code Execution without any user interaction.

AnalysisAI

Remote code execution in Roo Code's command auto-approval module allows unauthenticated attackers to bypass the whitelist security mechanism via shell command substitution in command arguments. The vulnerability exploits inadequate regular expression parsing that fails to detect $(...) and backtick syntax, enabling an attacker to inject malicious commands (e.g., git log --grep="$(malicious_command)") that are automatically approved and executed with full system privileges. No CVSS scoring, KEV status, or official patch information is currently available.

Technical ContextAI

Roo Code implements an auto-approval module designed to whitelist and execute certain commands without user interaction. The system relies on regular expressions to parse and validate command structures before approval. However, this validation logic fails to account for standard POSIX shell command substitution mechanisms: the $(...) syntax and backtick notation (...). These substitution constructs are evaluated by the underlying shell before the command is actually executed, allowing arbitrary commands embedded in argument values to bypass the regex-based whitelist. The root cause is insufficient input validation that does not consider the full scope of shell metacharacter interpretation (CWE-78: Improper Neutralization of Special Elements used in an OS Command). The affected product identifier could not be fully determined from available data; Roo Code appears to be a tool or library related to code generation or command automation.

RemediationAI

Users of Roo Code should immediately update to a patched version addressing the command auto-approval mechanism; however, no official vendor-released patch version is confirmed in the available data. Until a patch is available, implement strict input validation in any downstream systems that invoke Roo Code's auto-approval module, specifically filtering or escaping shell metacharacters (dollar signs, backticks, parentheses, and other command substitution syntax) before commands are passed to the approval engine. Additionally, disable auto-approval functionality where feasible and require explicit manual approval for all commands. Monitor the official Roo Code repository (https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/7) and roocode.com for security advisories and patch releases. For detailed remediation guidance, contact the Roo Code development team or consult the referenced security advisory.

Share

CVE-2026-30307 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy