Name of the Vulnerable Software and Affected Versions:

Roo Code versions 3.25.23 and below

Description:

Roo Code, an AI-powered autonomous coding agent, is susceptible to a bypass of its `.rooignore` protections when using symlinks. This allows an attacker with write access to the workspace to read files intended to be excluded. Consequently, sensitive files, such as `.env` or configuration files, could be exposed. An attacker modifying files within the workspace could gain unauthorized access to sensitive information by circumventing `.rooignore` rules, potentially including secrets and configuration details.

Recommendations:

Update to version 3.26.0 or later.