PT-2025-30619 · Robocode · Robocode
Maccarita
+1
·
Published
2025-07-23
·
Updated
2025-07-24
·
CVE-2025-54377
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Roo Code versions 3.23.18 and below
Description
Roo Code, an AI-powered autonomous coding agent, does not validate line breaks (
) in its command input. This bypasses the allow-list mechanism due to a lack of parsing or validation logic, potentially enabling command injection. Only the first line or token may be considered during command evaluation, allowing attackers to smuggle additional commands in subsequent lines.Recommendations
Update to Roo Code version 3.23.19 or later.
Exploit
Fix
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Robocode