CVE-2025-53536 Overview
CVE-2025-53536 is a code execution vulnerability in Roo Code, an AI-powered autonomous coding agent for Visual Studio Code. Prior to version 3.22.6, if a victim had the "Write" auto-approved setting enabled, an attacker with the ability to submit prompts to the AI agent could write to VS Code settings files and trigger arbitrary code execution. This vulnerability enables attackers to manipulate IDE configuration files to achieve command execution through legitimate VS Code functionality.
Critical Impact
An attacker can achieve arbitrary code execution on the victim's system by manipulating VS Code settings through the Roo Code AI agent, potentially leading to full system compromise.
Affected Products
- Roocode Roo Code versions prior to 3.22.6
- VS Code environments with Roo Code extension installed
- Systems with "Write" auto-approval enabled in Roo Code settings
Discovery Timeline
- 2025-07-07 - CVE-2025-53536 published to NVD
- 2025-09-15 - Last updated in NVD database
Technical Details for CVE-2025-53536
Vulnerability Analysis
This vulnerability falls under CWE-552 (Files or Directories Accessible to External Parties) and enables a sophisticated attack chain that leverages the AI agent's write capabilities to achieve code execution. The attack requires a combination of social engineering and prompt injection techniques to manipulate the autonomous coding agent into writing malicious configurations.
The vulnerability exploits the trust relationship between the AI agent and VS Code's settings infrastructure. When the "Write" permission is auto-approved, the agent can modify configuration files without additional user confirmation, creating an opportunity for attackers to inject malicious settings that trigger code execution.
Root Cause
The root cause lies in insufficient access controls and path restrictions within the Roo Code extension. The agent was permitted to write to sensitive VS Code settings files without proper validation or sandboxing of the write targets. VS Code settings files can specify executable paths for various language validators and tools, and the extension failed to recognize these paths as security-sensitive locations that should be protected from automated modification.
Attack Vector
The attack vector involves network-based prompt injection where an attacker submits crafted prompts to the Roo Code agent. One documented exploitation method involves manipulating the php.validate.executablePath setting:
- The attacker crafts a prompt that instructs the AI agent to modify VS Code settings
- With "Write" auto-approved, the agent writes to the VS Code settings file
- The attacker sets php.validate.executablePath to point to a malicious executable or command
- The attacker then creates a PHP file in the workspace
- VS Code's PHP validation automatically invokes the malicious executable, achieving code execution
This attack methodology could be adapted to target other VS Code settings that reference executable paths, making it a versatile exploitation technique for attackers who can influence the AI agent's actions.
Detection Methods for CVE-2025-53536
Indicators of Compromise
- Unexpected modifications to VS Code settings files (.vscode/settings.json or user-level settings)
- Changes to executable path settings such as php.validate.executablePath, python.pythonPath, or similar configuration options
- Unusual AI agent prompts requesting modifications to IDE configuration files
- Presence of suspicious executable files in non-standard locations referenced by VS Code settings
Detection Strategies
- Monitor file system changes to VS Code configuration directories for unauthorized modifications
- Implement logging for all Roo Code agent write operations to track configuration changes
- Use endpoint detection solutions to alert on process execution chains originating from VS Code settings-triggered validators
- Review AI agent conversation logs for prompt injection attempts targeting configuration files
Monitoring Recommendations
- Enable detailed audit logging for VS Code extension activities in enterprise environments
- Configure SentinelOne to monitor for suspicious process spawning from VS Code or related language validator processes
- Implement file integrity monitoring on IDE settings directories to detect unauthorized changes
- Establish baseline configurations for developer workstations and alert on deviations
How to Mitigate CVE-2025-53536
Immediate Actions Required
- Upgrade Roo Code to version 3.22.6 or later immediately
- Disable the "Write" auto-approval setting until the patch is applied
- Review VS Code settings files for any unauthorized modifications to executable paths
- Audit recent AI agent activity logs for suspicious prompt patterns
- Consider temporarily disabling the Roo Code extension in high-security environments until patching is complete
Patch Information
Roocode has released version 3.22.6 which addresses this vulnerability. The fix is documented in the following commits:
For complete details, see the GitHub Security Advisory GHSA-3765-5vjr-qjgm.
Workarounds
- Disable the "Write" auto-approval feature in Roo Code settings to require manual confirmation for all write operations
- Implement workspace trust policies to restrict which files and directories the AI agent can modify
- Use VS Code's restricted mode when working with untrusted content or external prompts
- Configure endpoint protection to block modification of VS Code settings files by unauthorized processes
# Verify Roo Code extension version in VS Code
code --list-extensions --show-versions | grep -i roo
# Check for and backup current VS Code settings before updating
cp ~/.config/Code/User/settings.json ~/.config/Code/User/settings.json.backup
# Update Roo Code extension via VS Code CLI
code --install-extension roocode.roo-code --force
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
