CVE-2025-65946 HIGH

CVE-2025-65946: Roo Code is Vulnerable to Potential Remote Code Execution via zsh Command Validation Bug

Vendor Roocodeinc
Product Roo-Code
Weakness CWE-77
Published November 21, 2025
Last update November 25, 2025

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Prior to version 3.26.7, Due to an error in validation it was possible for Roo to automatically execute commands that did not match the allow list prefixes. This issue has been patched in version 3.26.7.

Key dates

02Disclosure timeline

November 21, 2025 CVE published
November 25, 2025 Record updated