CVE-2025-58373
Roo Code: Symlink-bypass of .rooignore can lead to unintended file disclosure
Severity Score
5.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions 3.25.23 and below contain a vulnerability where .rooignore protections could be bypassed using symlinks. This allows an attacker with write access to the workspace to trick the extension into reading files that were intended to be excluded. As a result, sensitive files such as .env or configuration files could be exposed. An attacker able to modify files within the workspace could gain unauthorized access to sensitive information by bypassing .rooignore rules. This could include secrets, configuration details, or other excluded project data. This is fixed in version 3.26.0.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2025-08-29 CVE Reserved
- 2025-09-05 CVE Published
- 2025-09-05 CVE Updated
- 2025-09-06 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-59: Improper Link Resolution Before File Access ('Link Following')
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-p76r-7mc3-qh7c | X_refsource_confirm | |
| https://github.com/RooCodeInc/Roo-Code/pull/7405 | X_refsource_misc | |
| https://github.com/RooCodeInc/Roo-Code/releases/tag/v3.26.0 | X_refsource_misc |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| RooCodeInc Search vendor "RooCodeInc" | Roo-Code Search vendor "RooCodeInc" for product "Roo-Code" | < 3.26.0 Search vendor "RooCodeInc" for product "Roo-Code" and version " < 3.26.0" | en |
Affected
| ||||||