Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Roo Code's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on fragile regular expressions to parse command structures; while it attempts to intercept dangerous operations, it fails to account for standard Shell command substitution Roo Code (specifically$(...)and backticks ...). An attacker can construct a command such as git log --grep="$(malicious_command)", forcing Syntx to misidentify it as a safe git operation and automatically approve it. The underlying Shell prioritizes the execution of the malicious code injected within the arguments, resulting in Remote Code Execution without any user interaction.
AnalysisAI
Remote code execution in Roo Code's command auto-approval module allows unauthenticated attackers to bypass the whitelist security mechanism via shell command substitution in command arguments. The vulnerability exploits inadequate regular expression parsing that fails to detect $(...) and backtick syntax, enabling an attacker to inject malicious commands (e.g., git log --grep="$(malicious_command)") that are automatically approved and executed with full system privileges. No CVSS scoring, KEV status, or official patch information is currently available.
Technical ContextAI
Roo Code implements an auto-approval module designed to whitelist and execute certain commands without user interaction. The system relies on regular expressions to parse and validate command structures before approval. However, this validation logic fails to account for standard POSIX shell command substitution mechanisms: the $(...) syntax and backtick notation (...). These substitution constructs are evaluated by the underlying shell before the command is actually executed, allowing arbitrary commands embedded in argument values to bypass the regex-based whitelist. The root cause is insufficient input validation that does not consider the full scope of shell metacharacter interpretation (CWE-78: Improper Neutralization of Special Elements used in an OS Command). The affected product identifier could not be fully determined from available data; Roo Code appears to be a tool or library related to code generation or command automation.
RemediationAI
Users of Roo Code should immediately update to a patched version addressing the command auto-approval mechanism; however, no official vendor-released patch version is confirmed in the available data. Until a patch is available, implement strict input validation in any downstream systems that invoke Roo Code's auto-approval module, specifically filtering or escaping shell metacharacters (dollar signs, backticks, parentheses, and other command substitution syntax) before commands are passed to the approval engine. Additionally, disable auto-approval functionality where feasible and require explicit manual approval for all commands. Monitor the official Roo Code repository (https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/7) and roocode.com for security advisories and patch releases. For detailed remediation guidance, contact the Roo Code development team or consult the referenced security advisory.
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17188
GHSA-3hqq-48gq-cwg4