CVE-2025-53098: Roo Code is an AI-powered autonomous coding agent. The project-specific MCP configuration for the Roo Code agent is stor
Summary
Roo Code is an AI tool that can automatically write code, and it stores settings in a `.roo/mcp.json` file that can execute commands. Before version 3.20.3, an attacker who could trick the AI (through prompt injection, a technique where hidden instructions are embedded in user input) into writing malicious commands to this file could run arbitrary code if the user had enabled automatic approval of file changes. This required multiple conditions: the attacker could submit prompts to the agent, the MCP (model context protocol, a system for connecting AI agents to external tools) feature was enabled, and auto-approval of writes was turned on.
Solution / Mitigation
Version 3.20.3 fixes the issue by adding an additional layer of opt-in configuration for auto-approving writing to Roo's configuration files, including all files within the `.roo/` folder.
Vulnerability Details
8.1(high)
EPSS: 0.1%
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-53098
First tracked: February 15, 2026 at 08:52 PM
Classified by LLM (prompt v3) · confidence: 92%