How to fix EUVD-2025-19434?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Validate input sanitization for user-controlled parameters.

Is Roo Code affected by EUVD-2025-19434?

Organizations using Roo Code should be aware of moderate risk from CVE-2025-53097, a injection vulnerability rated CVSS 5.9. Exploitation could allow attackers to execute code or inject malicious input. A patch is available and should be applied during regular vulnerability management.

EUVD-2025-19434

| CVE-2025-53097 MEDIUM

2025-06-27 [email protected]

5.9

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 16, 2026 - 00:16 vuln.today

EUVD ID Assigned

Mar 16, 2026 - 00:16 euvd

EUVD-2025-19434

Patch Released

Mar 16, 2026 - 00:16 nvd

Patch available

CVE Published

Jun 27, 2025 - 22:15 nvd

MEDIUM 5.9

Description

Roo Code is an AI-powered autonomous coding agent. Prior to version 3.20.3, there was an issue where the Roo Code agent's `search_files` tool did not respect the setting to disable reads outside of the VS Code workspace. This means that an attacker who was able to inject a prompt into the agent could potentially read a sensitive file and then write the information to a JSON schema. Users have the option to disable schema fetching in VS Code, but the feature is enabled by default. For users with this feature enabled, writing to the schema would trigger a network request without the user having a chance to deny. This issue is of moderate severity, since it requires the attacker to already be able to submit prompts to the agent. Version 3.20.3 fixed the issue where `search_files` did not respect the setting to limit it to the workspace. This reduces the scope of the damage if an attacker is able to take control of the agent through prompt injection or another vector.

Analysis

A security vulnerability in Roo Code (CVSS 5.9). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Technical Context

CWE-74 (Injection). Affects Roo Code.

Affected Products

['Roo Code']

Remediation

Apply the vendor-supplied patch immediately. Implement input validation and WAF rules as interim mitigation.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +30

POC: 0

EUVD-2025-19434 vulnerability details – vuln.today

Back

EUVD-2025-19434

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

EUVD-2025-19434

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code